{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21003", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.802Z", "datePublished": "2026-04-13T04:57:14.913Z", "dateUpdated": "2026-04-13T04:57:14.913Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20: Improper Input Validation"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Mobile Devices", "versions": [{"status": "unaffected", "version": "SMR Apr-2026 Release in Selected Android 14, 15, 16 devices", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions."}], "references": [{"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.2, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T04:57:14.913Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions."}], "id": "CVE-2026-21003", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T05:16:02.230", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,SMR Apr-2026 Release in Selected Android 14, 15, 16 devices]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "mobile_devices", "vendor": "samsung"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,SMR Apr-2026 Release in Selected Android 14, 15, 16 devices]"}}], "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "samsung_mobile_devices", "vendor": "samsung_mobile"}], "analysis": {"en": {"generated_at": "2026-04-13T06:50:37.256047+00:00", "value": {"mitigation_remediation": ["Apply the SMR Apr\u20112026 Release\u202f1 Samsung security update to address the input validation flaw", "If the update cannot be applied immediately, enforce strict physical access controls such as secure storage, device lockouts, and biometric authentication to reduce the risk of a physical attacker altering network restrictions"], "summary": {"action": "Update Device", "impact": "Network restriction bypass via physical attack"}, "threat_synthesis": {"affected_systems": "All Samsung Mobile Device firmware versions released prior to the SMR Apr\u20112026 Release\u202f1 update are affected. No specific build numbers are listed, so the issue is presumed to exist across the entire spectrum of devices shipped before the mentioned update.", "description_and_impact": "Improper input validation in the data controlling network restrictions on Samsung Mobile Devices before the SMR Apr\u20112026 Release\u202f1 update allows a physically present attacker to manipulate restriction settings. By altering this data, the device can be coerced into permitting network communication that should be disallowed, which could expose the device to unauthorized data transmission or further local compromise. The vulnerability represents a breach of confidentiality and integrity but does not enable remote code execution or broader system compromise.", "risk_and_exploitability": "The CVSS score of 5.2 indicates a moderate risk. No EPSS score or KEV listing suggests limited public exploitation data. Exploitation requires physical possession of the device and the ability to modify the network restriction configuration; thus, attackers without direct device access cannot exploit the flaw. The attack vector is local and exploits improper input validation rather than remote vulnerabilities."}}}}, "created": "2026-04-13T12:37:15.247018+00:00", "title": "Network Restrictions Bypass via Physical Attack on Samsung Mobile Devices", "updated": "2026-04-13T12:53:02.617055+00:00", "vendors": ["samsung", "samsung$PRODUCT$mobile_devices", "samsung_mobile", "samsung_mobile$PRODUCT$samsung_mobile_devices"], "weaknesses": ["CWE-20"]}