{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21002", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.802Z", "datePublished": "2026-03-16T04:32:11.128Z", "dateUpdated": "2026-03-16T13:59:29.066Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Store", "versions": [{"status": "unaffected", "version": "4.6.03.8"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:32:11.128Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T13:59:23.936846Z", "id": "CVE-2026-21002", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:59:29.066Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21002", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:59:23.936846Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:59:26.437Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Store", "versions": [{"status": "unaffected", "version": "4.6.03.8"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:32:11.128Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21002", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:59:29.066Z", "dateReserved": "2025-12-11T01:33:35.802Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-03-16T04:32:11.128Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:galaxy_store:*:*:*:*:*:*:*:*", "matchCriteriaId": "40D06C76-5232-4A91-B7A3-D3B64BCDBBA8", "versionEndExcluding": "4.6.03.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application."}, {"lang": "es", "value": "Verificaci\u00f3n incorrecta de firma criptogr\u00e1fica en Galaxy Store anterior a la versi\u00f3n 4.6.03.8 permite a atacante local instalar aplicaci\u00f3n arbitraria."}], "id": "CVE-2026-21002", "lastModified": "2026-04-07T00:34:23.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:11.367", "references": [{"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "4.6.03.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.6.03.8)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "Galaxy Store", "source": "cna", "vendor": "Samsung Mobile"}, "product": "galaxy_store", "vendor": "samsung"}], "analysis": {"en": {"generated_at": "2026-04-08T21:37:42.215159+00:00", "value": {"mitigation_remediation": ["Upgrade Samsung Galaxy Store to version\u202f4.6.03.8 or later"], "summary": {"action": "Immediate Patch", "impact": "Local arbitrary application installation via improper signature verification"}, "threat_synthesis": {"affected_systems": "The affected product is Samsung Mobile\u2019s Galaxy Store. Versions earlier than 4.6.03.8 are vulnerable. No other versions are listed as impacted.", "description_and_impact": "The vulnerability in the Samsung Galaxy Store arises from an improper verification of cryptographic signatures for applications. Prior to version\u202f4.6.03.8, the store fails to confirm the signature of packages before allowing installation. Consequently, a local attacker who can influence the store locally can install any application, potentially with malicious payloads. The weakness corresponds to CWE\u2011347 and can lead to arbitrary code execution or compromised device integrity and confidentiality.", "risk_and_exploitability": "The assessment scores a CVSS base of 5.9, indicating medium severity, and an EPSS of less than\u202f1\u202f%, showing a very low likelihood of being exploited in the wild. It is not included in the CISA KEV catalogue. The attack requires local access to the device and the ability to manipulate the Galaxy Store such that an alternative application package is presented and installed. Once installed, the malicious application operates with the permissions granted to it, potentially compromising the device."}}}}, "created": "2026-03-17T09:55:06.115333+00:00", "title": "Galaxy Store Improper Signature Verification Enabling Arbitrary App Installation", "updated": "2026-04-09T08:29:46.059893+00:00", "vendors": ["samsung", "samsung$PRODUCT$galaxy_store"]}