{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21008", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.803Z", "datePublished": "2026-04-13T05:09:40.420Z", "dateUpdated": "2026-04-13T13:57:52.407Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200: Exposure of Sensitive Information"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Mobile Devices", "versions": [{"status": "unaffected", "version": "SMR Apr-2026 Release in Android 14, 15, 16", "versionType": "semver", "lessThan": "*"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information."}], "references": [{"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T05:09:40.420Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T13:57:43.584386Z", "id": "CVE-2026-21008", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:57:52.407Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21008", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T13:57:43.584386Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:57:47.865Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Mobile Devices", "versions": [{"status": "unaffected", "version": "SMR Apr-2026 Release in Android 14, 15, 16", "lessThan": "*", "versionType": "semver"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200: Exposure of Sensitive Information"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-04-13T05:09:40.420Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21008", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:57:52.407Z", "dateReserved": "2025-12-11T01:33:35.803Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-04-13T05:09:40.420Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information."}], "id": "CVE-2026-21008", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T06:16:05.360", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,SMR Apr-2026 Release in Android 14, 15, 16]"}}], "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "mobile_devices", "vendor": "samsung"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,SMR Apr-2026 Release in Android 14, 15, 16]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Samsung Mobile Devices", "source": "cna", "vendor": "Samsung Mobile"}, "product": "samsung_mobile_devices", "vendor": "samsung_mobile"}], "analysis": {"en": {"generated_at": "2026-04-13T07:21:40.902694+00:00", "value": {"mitigation_remediation": ["Apply the SMR Apr-2026 Release\u202f1 update to your Samsung Mobile Devices.", "If an update is not yet available, disable or restrict the S Share feature until the patch is applied.", "Monitor devices for signs of unauthorized data access and review logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Samsung Mobile Devices that have not received the SMR Apr-2026 Release\u202f1 update are affected. This includes devices running firmware versions before the release. No specific version numbers are supplied, so all devices with older S Share implementations remain at risk.", "description_and_impact": "The vulnerability allows an adjacent attacker to access sensitive information stored in the S Share feature on Samsung Mobile Devices before the SMR Apr-2026 Release\u202f1 update. By exposing data that should remain confidential, the flaw permits an attacker to read personal files, messages, or other privacy\u2011sensitive content. The impact is a loss of confidentiality for affected users and could lead to privacy breaches or credential theft if the compromised data includes login details. The likely attack vector is proximity or device adjacency, inferred from the phrase \"adjacent attacker\", although the description does not specify the exact method of exploitation.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. No EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known exploit in the wild. However, because the attack likely requires physical proximity or device adjacency, the threat is limited to environments where such adjacency exists. The risk remains moderate, with potential confidentiality loss for affected users."}}}}, "created": "2026-04-13T12:37:04.778605+00:00", "title": "Sensitive Data Exposure via S Share in Samsung Mobile Devices", "updated": "2026-04-13T12:52:52.555579+00:00", "vendors": ["samsung", "samsung$PRODUCT$mobile_devices", "samsung_mobile", "samsung_mobile$PRODUCT$samsung_mobile_devices"], "weaknesses": ["CWE-200", "CWE-284"]}