Description
Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper export of Android application components in the ExpressHomeWidgetReceiver of Samsung Assistant allows a local attacker to execute arbitrary scripts. The vulnerability does not specify remote exploitation or additional capabilities beyond running code under the app’s context.

Affected Systems

Samsung Mobile devices that ship with Samsung Assistant versions earlier than 9.3.14 are affected. Updating the assistant application to version 9.3.14 or later removes the exposed component and mitigates the vulnerability.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity while the EPSS score of less than 1% indicates a very low but nonzero exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, as inferred from the description, is a local attacker who can place or trigger an arbitrary script on the device, such as via a malicious application or user action. Exploitation requires physical or logical access to the device and does not rely on remote network interaction.

Generated by OpenCVE AI on June 12, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Samsung Assistant to version 9.3.14 or later
  • If the update is unavailable, uninstall or disable Samsung Assistant to eliminate the vulnerable component
  • Check and restrict component export settings in the app configuration to prevent exposure of internal receivers

Generated by OpenCVE AI on June 12, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Improperly Exported Android Component Enables Local Code Execution in Samsung Assistant
Weaknesses CWE-200
CWE-269

Thu, 11 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Improper Export of Samsung Assistant Widget
Weaknesses CWE-285

Thu, 11 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung assistant
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:samsung:assistant:*:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung assistant
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Mobile
Samsung Mobile samsung Assistant
Vendors & Products Samsung Mobile
Samsung Mobile samsung Assistant

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Title Local Code Execution via Improper Export of Samsung Assistant Widget
Weaknesses CWE-285

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improper export of android application components in ExpressHomeWidgetReceiver of Samsung Assistant prior to version 9.3.14 allows local attacker to execute arbitrary script.
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Samsung Assistant
Samsung Mobile Samsung Assistant
cve-icon MITRE

Status: PUBLISHED

Assigner: SamsungMobile

Published:

Updated: 2026-06-05T19:11:52.301Z

Reserved: 2025-12-11T01:33:35.806Z

Link: CVE-2026-21033

cve-icon Vulnrichment

Updated: 2026-06-05T19:11:46.167Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T11:16:35.897

Modified: 2026-06-11T19:43:25.763

Link: CVE-2026-21033

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T00:30:07Z

Weaknesses