MEDIUM 5.5

CVE-2026-21028: Samsung AuditLogService Access Control Flaw

A flaw in Samsung's AuditLogService component fails to properly restrict access to sensitive information, allowing local users with basic device access to read data they shouldn't be able to see. The vulnerability is present in Android releases prior to June 2026 Security Maintenance Release 1 and has a moderate severity rating.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
Affected products
11 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

Improper access control in AuditLogService prior to SMR Jun-2026 Release 1 allows local attackers to access sensitive information.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-21028 is an improper access control vulnerability within AuditLogService on Samsung Android devices. The flaw permits authenticated local attackers—those already with user-level privileges on the device—to bypass authorization checks and retrieve sensitive information from audit logs. The vulnerability is fixed in the Samsung Android June 2026 SMR Release 1 patch. With a CVSS v3.1 score of 5.5 (vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), the attack requires local access and user-level privileges, but no user interaction is needed to trigger the information disclosure.

Business impact

For organizations deploying Samsung Android devices, this vulnerability presents a risk of unauthorized access to audit logs and related sensitive metadata. While the attack requires local device access and cannot modify or delete data, the confidentiality impact could expose user activity, system operations, or other logged information that should be protected. Organizations managing large device fleets should prioritize inventory and remediation to prevent potential data leakage and maintain compliance with data protection policies.

Affected systems

This vulnerability affects Samsung Android devices across multiple product variants. All Samsung Android installations prior to the June 2026 Security Maintenance Release 1 are vulnerable. Organizations should verify the exact device models and firmware versions in their environment against Samsung's official advisory to determine exposure scope.

Exploitability

Exploitation requires an attacker to already possess local access to a Samsung Android device and operate with user-level permissions. The vulnerability does not require user interaction once access is gained, making it straightforward to exploit for a local user seeking to read sensitive audit logs. However, the attack surface is limited to local threat actors; remote exploitation is not possible. Ransomware and commodity malware operators are not currently known to be targeting this flaw.

Remediation

Organizations should apply the Samsung Android June 2026 Security Maintenance Release 1 patch to all affected devices. Device management platforms should be configured to enforce this update across the fleet. For devices that cannot be immediately patched, consider restricting physical access and implementing device-level monitoring to detect unusual access patterns to audit logs.

Patch guidance

Update affected Samsung Android devices to the June 2026 Security Maintenance Release 1 or later. Verify the specific firmware version after update to confirm the patch was applied successfully. Samsung's security advisory will list the exact patch versions for each affected device model. Organizations using mobile device management (MDM) solutions should deploy the update through their MDM platform to ensure consistent coverage and tracking across the fleet.

Detection guidance

Monitor for unusual access patterns to system audit logs and AuditLogService components on Samsung Android devices. Endpoint detection and response (EDR) solutions with Android support can help identify unauthorized attempts to read audit log data. Check device logs for security events related to permission violations or unexpected service access. If available, enable enhanced audit logging on Samsung devices to capture attempts to access audit logs themselves.

Why prioritize this

While this is a moderate-severity vulnerability (CVSS 5.5) and not yet in the CISA Known Exploited Vulnerabilities catalog, the risk to organizations stems from the confidentiality impact and the simplicity of local exploitation. Any device with user-level account compromise or local physical access becomes a vector for sensitive information disclosure. Prioritize based on device inventory, data sensitivity, and physical security posture; devices handling high-value or compliance-sensitive information should be patched urgently.

Risk score, explained

The CVSS 5.5 score reflects a flaw with high confidentiality impact but no integrity or availability impact. The attack requires local access and user-level privileges, limiting the threat actor pool to those with legitimate or compromised device access. The score appropriately excludes widespread remote exploitation scenarios but signals meaningful risk for organizations where local access controls or device theft/loss is a realistic concern.

Frequently asked questions

Can this vulnerability be exploited remotely over the network?

No. The vulnerability requires local access to the device and user-level privileges. Remote exploitation is not possible. The attack vector is strictly limited to local users or attackers who have already obtained physical access or a compromised account on the device.

What information can an attacker access through this flaw?

Attackers can read sensitive information contained within audit logs managed by AuditLogService. The exact scope depends on what Samsung logs in those audit records, which may include user activity, system operations, or other metadata. Organizations should review Samsung's security advisory for specifics about what data is at risk.

Is there a workaround if I cannot patch immediately?

There is no known workaround that fully mitigates the vulnerability. Interim risk reduction measures include restricting physical device access, enforcing strong authentication for device unlock, limiting user account privileges where possible, and monitoring for suspicious access attempts to system services.

Will this be added to CISA's Known Exploited Vulnerabilities (KEV) catalog?

As of the last update, this vulnerability is not listed in CISA's KEV catalog. That status can change if exploitation evidence emerges. Organizations should monitor CISA's advisory updates and Samsung's security bulletin for any changes in threat assessment or exploitation activity.

This analysis is based on official vulnerability data and Samsung's advisory as of June 2026. Specific patch version numbers, affected device models, and remediation timelines should be verified against Samsung's official security bulletin and your organization's device inventory. The information provided is for security decision-making and does not constitute legal or compliance advice. Organizations must assess risk within their own threat model and operational environment. No exploit code or weaponized proof-of-concept information is provided herein. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).