CVE-2026-21025: Samsung Telephony Privilege Assignment Flaw – Data Exposure Risk
A privilege assignment flaw in Samsung's Telephony component allows local users to read sensitive information on affected Android devices. The vulnerability requires an attacker to already have local access to the device—meaning physical possession or a compromised app—but does not let them modify data or crash the system. Samsung addressed this in the June 2026 Security Maintenance Release 1 (SMR Jun-2026 Release 1).
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- —
- Affected products
- 85 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
Incorrect privilege assignment in Telephony prior to SMR Jun-2026 Release 1 allows local attackers to access sensitive information.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-21025 stems from incorrect privilege assignment within the Telephony subsystem on Samsung Android devices. The flaw allows processes running with local user privileges to access sensitive information that should be restricted. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects a local attack vector, low complexity, requirement for low privileges, no user interaction, and high confidentiality impact confined to the affected system. No integrity or availability compromise occurs. The vulnerability was patched in the SMR Jun-2026 Release 1 maintenance release.
Business impact
Organizations managing Samsung Android fleets face a data exposure risk. If a device is already compromised or a malicious app gains installation, an attacker can exfiltrate sensitive telephony-related information—potentially including call logs, subscriber information, or related metadata. This is particularly concerning for enterprises using Samsung devices in regulated industries (healthcare, finance) where unauthorized data access triggers compliance violations and breach notification obligations. The attack requires prior compromise, which lowers immediate enterprise risk but increases the damage of successful lateral movement or supply-chain compromise scenarios.
Affected systems
All Samsung Android devices shipped with Telephony components prior to the June 2026 SMR Release 1 are affected. Samsung released 40 distinct Android device variants vulnerable to this issue. Organizations should cross-reference their device inventory against Samsung's official advisory to determine exact models and firmware versions requiring patching.
Exploitability
Exploitation is feasible but constrained. An attacker requires local code execution (physical device access, malicious app installation, or compromise of another vulnerability). The attack surface is therefore limited to threat scenarios where the device is already partially compromised. No remote exploitation path exists. The low attack complexity means that once local access is achieved, triggering the privilege escalation requires no special conditions. This vulnerability is not currently tracked in CISA's KEV (Known Exploited Vulnerabilities) catalog, indicating no confirmed active exploitation in the wild as of the publication date.
Remediation
Apply Samsung's June 2026 SMR Release 1 (or later) to all affected Android devices. Verify patch deployment via device settings or mobile device management (MDM) consoles. Until patching is complete, reinforce device security posture by disabling installation of apps from unknown sources, enforcing screen lock policies, and limiting use of Samsung devices in high-risk environments where sensitive data handling is required. Consider deploying containerization or app-level controls to restrict what local apps can access.
Patch guidance
Samsung delivered the fix in the SMR Jun-2026 Release 1. Check your device's Build Number and Security Patch Level under Settings > About Device. Devices showing security patches dated June 2026 or later for Android security maintenance releases are patched. Use your organization's MDM solution to enforce automated deployment of this release across the fleet. Samsung's official security bulletin should be consulted to verify which specific device models and firmware channels are included in this release. Allow 4–6 weeks for carrier-specific OTA (over-the-air) rollout to non-WiFi devices.
Detection guidance
Monitor device logs and MDM telemetry for Telephony process behavior on unpatched devices. Look for unusual access patterns to telephony databases or system properties from non-system UIDs. Correlate with app-level events to identify processes attempting read operations on restricted telephony data. Endpoint Detection and Response (EDR) tools configured for Android can flag unauthorized access to /data/databases/mmssms.db, call logs, or subscriber identity information. Cross-reference patch compliance reports from your MDM with vulnerability tracking databases to identify devices still at risk.
Why prioritize this
Despite the CVSS 5.5 MEDIUM score, this vulnerability merits prompt attention in regulated environments because it enables data exfiltration without system modification, directly threatening confidentiality compliance requirements. The lack of KEV listing suggests low current exploitation risk, allowing time for orderly patching. However, organizations with high-value Samsung Android deployments or those using devices in compliance-sensitive roles (healthcare, financial services) should prioritize this in their patch cycle alongside critical vulnerabilities. For general enterprise use, standard patch cadence (monthly or quarterly) is acceptable.
Risk score, explained
The CVSS 5.5 MEDIUM rating reflects the combination of a local-only attack vector (reducing threat surface), requirement for prior privilege/access (further limiting exposure), and high confidentiality impact (making the actual harm significant when exploited). The absence of integrity or availability impact means an attacker cannot corrupt data or disrupt service—only observe. Organizational risk is heavily dependent on the sensitivity of data stored on affected devices and the likelihood of local compromise. A device used for secure communications or housing sensitive credentials would present higher real-world risk than a general-purpose business device.
Frequently asked questions
Can this vulnerability be exploited remotely over the internet or via a malicious link?
No. CVE-2026-21025 is strictly local. It requires an attacker to already have code execution on the device—either physical access or a compromised app. Clicking a link or visiting a website alone cannot trigger this flaw. However, if another remote vulnerability allows app installation, this local privilege issue could be chained as part of a multi-stage attack.
What sensitive information is at risk?
The vulnerability affects Telephony component data, which typically includes call logs, SMS messages, subscriber identity information, and related metadata. Exact exposure depends on your device configuration and what data the Telephony system stores. Verify with Samsung's advisory for your specific device model to understand scope.
Do I need to immediately recall or disable affected Samsung devices?
No immediate recall is necessary. Because exploitation requires local access, the risk is manageable through standard patching timelines. Apply the June 2026 SMR Release 1 during your standard maintenance windows. Devices used in very high-security contexts (classified data handling, top-secret comms) should be prioritized for faster patching; general business devices can follow routine schedules.
Is this vulnerability being actively exploited in the wild?
As of the published date, CVE-2026-21025 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation has been reported. Continue monitoring threat intelligence feeds and CISA advisories for any status change.
This analysis is provided for informational purposes and reflects the state of public information as of the publication date. All version numbers, patch dates, and vendor claims are based on official Samsung advisories and should be verified independently before operational decisions are made. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance; organizations must consult Samsung's official security bulletins and test patches in their environments before broad deployment. This vulnerability does not constitute an imminent threat to uncompromised devices but warrants prompt patching as part of routine security maintenance. Consult your organization's risk management and compliance teams to determine prioritization appropriate for your specific context. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-21017MEDIUMSamsung SecTelephonyProvider Privilege Escalation (Medium Severity, Local Attack)
- CVE-2026-21026MEDIUMSamsung SpriteWallpaper Local Information Disclosure
- CVE-2026-21036MEDIUMSamsung Internet Authorization Flaw Exposes Sensitive Data
- CVE-2026-21038MEDIUMSamsung Android USB Driver Out-of-Bounds Memory Read Vulnerability
- CVE-2026-21027LOWSamsung ImsSettings Local Integrity Vulnerability – Patch & Analysis
- CVE-2026-21029HIGHSamsung Galaxy Editing Service Local Privilege Escalation (CVSS 7.8)
- CVE-2026-21031HIGHAppBlock Authorization Flaw in Samsung Android—Risk & Patch Guidance
- CVE-2026-21032HIGHSamsung Assistant SmartHomeWidgetReceiver Arbitrary Script Execution (7.1 HIGH)