CVE-2026-21014

Vulnerability

Overview

CVE-2026-21014 is an improper access control vulnerability in the Samsung Camera application. The flaw exists in versions prior to 16.5.00.28, where the app fails to properly enforce permissions, allowing a local attacker to access sensitive location data. The root cause is a missing or insufficient access control check that should restrict location information to authorized processes or user interactions.

Exploitation

Conditions

Exploitation requires local access to the device and user interaction. The attacker must be able to run code on the same device (e.g., through a malicious app or physical access) and convince the user to perform an action that triggers the vulnerability. No network-based attack vector is involved; the attack surface is limited to the local environment.

Impact

A successful exploit allows the attacker to read the device's location data, which could reveal the user's whereabouts. This information could be used for surveillance or other privacy-invasive purposes. The CVSS v3 base score of 2.8 reflects the low severity due to the need for local access and user interaction.

Mitigation

Samsung has addressed the issue in Camera version 16.5.00.28 and later. Users are advised to update the application through the Galaxy Store or Samsung's update mechanism. The official advisory is available on the Samsung Mobile Security portal [1].