{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21023", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.804Z", "datePublished": "2026-04-29T04:46:46.051Z", "dateUpdated": "2026-04-29T04:46:46.051Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Mobile Devices", "versions": [{"status": "unaffected", "version": "SMR Mar-2026 Release in Android 14, 15, 16", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application."}], "references": [{"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-29T04:46:46.051Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application."}], "id": "CVE-2026-21023", "lastModified": "2026-04-29T05:16:04.070", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-04-29T05:16:04.070", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[SMR Mar-2026 Release in Android 14, 15, 16,* )"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "mobile_devices", "vendor": "samsung"}], "analysis": {"en": {"generated_at": "2026-04-29T06:20:46.994073+00:00", "value": {"mitigation_remediation": ["Apply the latest Samsung security patch that updates PackageManagerService to SMR Mar\u20112026 Release\u202f1 or newer", "Restart the device to ensure the updated PackageManagerService is active", "Configure device settings to disallow installation from unknown or unverified sources to reduce the attack surface"], "summary": {"action": "Update Device", "impact": "Local Privilege Escalation via Modification of Installation Restrictions"}, "threat_synthesis": {"affected_systems": "Samsung Mobile Devices that have not installed the SMR Mar-2026 Release\u202f1 security patch. No specific version information is provided beyond the reference to the March\u202f2026 release.;", "description_and_impact": "The vulnerability lies in the PackageManagerService of Samsung Mobile Devices, where insufficient verification of data authenticity allows a local attacker to alter the installation restriction of a specific application. The attacker can effectively elevate privileges at the device level by enabling or disabling installation controls for target apps, enabling the installation of rogue or unauthenticated applications and potentially bypassing security safeguards.", "risk_and_exploitability": "With a CVSS score of 6.9, the vulnerability presents a moderate risk. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is local; attackers must have physical or local access to the device. No remote exploitation or widespread automated attacks are described, which mitigates the overall exposure, but operational security demands review of device firmware and settings."}}}}, "created": "2026-04-29T06:30:04.392374+00:00", "title": "Local Modification of Application Installation Restrictions via PackageManagerService", "updated": "2026-04-29T07:00:04.813436+00:00", "vendors": ["samsung", "samsung$PRODUCT$mobile_devices"], "weaknesses": ["CWE-285"]}