{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21014", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.803Z", "datePublished": "2026-04-13T05:04:48.621Z", "dateUpdated": "2026-04-13T14:31:18.617Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-284: Improper Access Control"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Camera", "versions": [{"status": "unaffected", "version": "16.5.00.28", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T05:04:48.621Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T14:25:26.441916Z", "id": "CVE-2026-21014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T14:31:18.617Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability."}], "id": "CVE-2026-21014", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T06:16:06.140", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,16.5.00.28)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "samsung_camera", "vendor": "samsung_mobile"}], "analysis": {"en": {"generated_at": "2026-04-13T07:22:05.930061+00:00", "value": {"mitigation_remediation": ["Update Samsung Camera to version 16.5.00.28 or newer", "If immediate update is not available, restrict the camera app\u2019s location permission or disable location access for the app", "Check Samsung security advisories for any new updates or workarounds"], "summary": {"action": "Apply patch", "impact": "Location data disclosure"}, "threat_synthesis": {"affected_systems": "Samsung Mobile devices running the Camera application version lower than 16.5.00.28 are affected. The issue is present in all releases of Samsung Camera before that build, regardless of device model or region.", "description_and_impact": "This vulnerability arises from improper access control in the Samsung Camera application, enabling a local attacker to retrieve the device's location data. The primary impact is a privacy breach, where sensitive location information becomes available to an attacker who can access the device. The weakness corresponds to CWE\u2011284, where insecure permissions allow unauthorized data access.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a medium severity level, and the vendor has not listed this vulnerability in the CISA KEV catalog. The likelihood of exploitation is uncertain due to the requirement of user interaction and the fact that the attacker must have local physical or acquaintance access to the target device. However, once the conditions are met, the attacker can obtain the device\u2019s location data without additional privileges."}}}}, "created": "2026-04-13T12:37:06.970184+00:00", "title": "Local Attacker Can Access Location Data via Improper Access Control in Samsung Camera", "updated": "2026-04-13T12:52:54.534667+00:00", "vendors": ["samsung_mobile", "samsung_mobile$PRODUCT$samsung_camera"], "weaknesses": ["CWE-284"]}