CVE-2026-21022

Vulnerability

Description

CVE-2026-21022 is an improper handling of insufficient permissions vulnerability in the Samsung Routines application on Samsung mobile devices. The flaw exists in versions prior to the SMR May-2026 Release 1 security update. The root cause is that the application fails to correctly validate permission checks, allowing an unprivileged process to access data or functionality that should be protected.

Exploitation

Requirements

An attacker must have local access to the device, typically gained through a malicious application installed by the user or through other means of local code execution. No additional authentication is needed beyond the device being unlocked. The attack surface is limited to the Routines application's local inter-process communication or file access points.

Impact

Impact

A successful exploit allows a local attacker to access sensitive information stored or processed by the Routines application. This could include user-created routine configurations, personal data connected to device functions, or other protected app internals. The CVSS v3 base score of 5.5 reflects a medium severity, indicating a notable but not critical impact on confidentiality.

Mitigation

Users are advised to install the SMR May-2026 Release 1 update, which addresses the permission handling flaw [1]. Samsung's monthly security maintenance release includes the fix. There is no evidence the vulnerability has been exploited in the wild or listed on CISA's KEV. No workaround is available other than applying the update.