{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21009", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.803Z", "datePublished": "2026-04-13T05:04:32.607Z", "dateUpdated": "2026-04-13T05:04:32.607Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Mobile Devices", "versions": [{"status": "unaffected", "version": "SMR Apr-2026 Release in Android 14, 15, 16", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning."}], "references": [{"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.1, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T05:04:32.607Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning."}], "id": "CVE-2026-21009", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T06:16:05.483", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,SMR Apr-2026 Release in Android 14, 15, 16]"}}], "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "mobile_devices", "vendor": "samsung"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,SMR Apr-2026 Release in Android 14, 15, 16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "samsung_mobile_devices", "vendor": "samsung_mobile"}], "analysis": {"en": {"generated_at": "2026-04-13T07:23:24.866510+00:00", "value": {"mitigation_remediation": ["Install Samsung Mobile firmware updates that include SMR Apr-2026 Release\u202f1 or later.", "Verify that the Recents functionality behaves correctly and that app pinning cannot be bypassed.", "Check for additional security advisories from Samsung regarding app pinning or Recents."], "summary": {"action": "Apply Patch", "impact": "Bypass App Pinning"}, "threat_synthesis": {"affected_systems": "Samsung Mobile Devices that run firmware versions before SMR Apr-2026 Release\u202f1. The vulnerability affects the Recents component responsible for managing application pinning on these devices.", "description_and_impact": "Improper handling of exceptional conditions in the Recents feature of Samsung Mobile Devices allows a physical attacker to bypass application pinning. This flaw disables the check that normally prevents unauthorized applications from being pinned, enabling a malicious app to replace or masquerade as a pinned app. The consequence is that an attacker who gains physical access to the device can potentially elevate privileges or compromise applications that rely on pinning for security, affecting confidentiality, integrity, or functionality of the pinned apps.", "risk_and_exploitability": "The CVSS score is 4.1, indicating a moderate severity overall. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be physical, requiring direct access to the device. Because the flaw permits bypassing app pinning, an attacker could take advantage of the device\u2019s user context once they have physical possession, but no remote exploitation is possible as described. The risk remains primarily limited to environments where devices are not physically secured or where users are likely to leave devices unattended."}}}}, "created": "2026-04-13T12:37:11.193529+00:00", "title": "App Pinning Bypass via Physical Attacker on Samsung Devices", "updated": "2026-04-13T12:52:58.473764+00:00", "vendors": ["samsung", "samsung$PRODUCT$mobile_devices", "samsung_mobile", "samsung_mobile$PRODUCT$samsung_mobile_devices"], "weaknesses": ["CWE-398", "CWE-200"]}