{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20993", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.801Z", "datePublished": "2026-03-16T04:32:00.299Z", "dateUpdated": "2026-03-16T13:19:36.779Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-926 : Improper Export of Android Application Components"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Assistant", "versions": [{"status": "unaffected", "version": "9.3.10.7"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:32:00.299Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20993", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:10:39.782349Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:19:36.779Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20993", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:10:39.782349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:16:05.930Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 4.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Samsung Assistant", "versions": [{"status": "unaffected", "version": "9.3.10.7"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "descriptions": [{"lang": "en", "value": "Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-926 : Improper Export of Android Application Components"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:32:00.299Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20993", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:19:36.779Z", "dateReserved": "2025-12-11T01:33:35.801Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-03-16T04:32:00.299Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:assistant:*:*:*:*:*:*:*:*", "matchCriteriaId": "0390EDD5-280E-4617-BC49-F5EDA21E4A77", "versionEndExcluding": "9.3.10.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information."}, {"lang": "es", "value": "Exportaci\u00f3n indebida de componentes de aplicaci\u00f3n de Android en Samsung Assistant anterior a la versi\u00f3n 9.3.10.7 permite al atacante local acceder a la informaci\u00f3n guardada."}], "id": "CVE-2026-20993", "lastModified": "2026-04-07T00:37:35.297", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:10.147", "references": [{"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "9.3.10.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,9.3.10.7)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Samsung Assistant", "source": "cna", "vendor": "Samsung Mobile"}, "product": "samsung_assistant", "vendor": "samsung"}], "analysis": {"en": {"generated_at": "2026-04-08T23:09:51.224318+00:00", "value": {"mitigation_remediation": ["Update Samsung Assistant to a version newer than 9.3.10.7 when an update is available", "If no update is available, uninstall or disable Samsung Assistant to eliminate the disclosure risk", "Continuously monitor Samsung security advisories for additional patches or guidance"], "summary": {"action": "Apply patch", "impact": "Local information disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Samsung Mobile\u2019s Samsung Assistant on devices running any build earlier than 9.3.10.7. Versions 9.3.10.7 and later have corrected the component export handling, making the issue absent from those releases.", "description_and_impact": "Samsung Assistant prior to version\u202f9.3.10.7 improperly exports Android application components, allowing a local attacker to read data stored by the assistant. This results in a confidentiality breach of user information that should remain private.", "risk_and_exploitability": "With a CVSS score of 4.8 the risk is considered low. The EPSS score of less than\u202f1\u202f% indicates that exploitation is unlikely. No remote attack vector is disclosed; the flaw is exploitable only by a local actor with physical or logical access to the device, for example a user in possession of the phone or a malicious app with user\u2011level permissions. There is no privilege escalation beyond the local context, and the vulnerability is not listed in CISA\u2019s KEV catalog, further reducing immediate threat."}}}}, "created": "2026-03-17T09:55:14.965860+00:00", "title": "Local Information Disclosure via Improper Component Export in Samsung Assistant", "updated": "2026-04-09T08:29:49.029195+00:00", "vendors": ["samsung", "samsung$PRODUCT$samsung_assistant"]}