{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20984", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.799Z", "datePublished": "2026-02-04T06:14:47.058Z", "dateUpdated": "2026-02-04T16:57:38.337Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-280: Improper handling of insufficient permission"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Wearable", "versions": [{"status": "unaffected", "version": "2.2.68"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-02-04T06:14:47.058Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T16:57:32.382120Z", "id": "CVE-2026-20984", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:57:38.337Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20984", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T16:57:32.382120Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:57:35.972Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Galaxy Wearable", "versions": [{"status": "unaffected", "version": "2.2.68"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02"}], "descriptions": [{"lang": "en", "value": "Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-280: Improper handling of insufficient permission"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-02-04T06:14:47.058Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20984", "state": "PUBLISHED", "dateUpdated": "2026-02-04T16:57:38.337Z", "dateReserved": "2025-12-11T01:33:35.799Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-02-04T06:14:47.058Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information."}, {"lang": "es", "value": "Manejo inadecuado de permisos insuficientes en Galaxy Wearable instalado en dispositivos que no son Samsung anterior a la versi\u00f3n 2.2.68 permite a atacantes locales acceder a informaci\u00f3n sensible."}], "id": "CVE-2026-20984", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-02-04T07:16:00.517", "references": [{"source": "mobile.security@samsung.com", "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Deferred"}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:54:27.263668+00:00", "value": {"mitigation_remediation": ["Upgrade Galaxy Wearable to version 2.2.68 or later.", "If an upgrade is not yet available, consider preventing the app from requesting sensitive permissions or disabling the app altogether on non\u2011Samsung devices.", "Restrict the installation and use of Galaxy Wearable to certified Samsung hardware, and enforce device\u2011level policy to block untrusted legacy firmware."], "summary": {"action": "Apply Update", "impact": "Local Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems include devices running Samsung Mobile:Galaxy Wearable application versions older than 2.2.68 that are installed on non\u2011Samsung hardware. The issue does not apply to Samsung devices or to Galaxy Wearable installations on those devices, nor to newer firmware releases past the stated version.", "description_and_impact": "The vulnerability results from improper handling of insufficient permission checks in the Galaxy Wearable app. This flaw allows a local attacker, who has access to a non\u2011Samsung device running a pre\u20112.2.68 version of the app, to read sensitive data that should be protected by the operating system's permission model. The weakness is a classic case of improperly enforced access control (CWE\u2011284), enabling confidential information exposure without requiring remote exploitation or elevated privileges.", "risk_and_exploitability": "The CVSS base score of 5.1 indicates moderate severity, while the EPSS score of less than 1% suggests exploitation is unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog, further implying low confidence in widespread use. Attackers must have local access to the device; no remote code execution or network traversal is required. Successful exploitation results in unauthorized disclosure of user data, which can compromise privacy and potentially lead to credential theft or downstream attacks if sensitive tokens are leaked."}}}}, "created": "2026-02-04T21:18:13.640022+00:00", "title": "Galaxy Wearable Permission Handling Vulnerability Enables Local Information Disclosure", "updated": "2026-04-18T00:00:09.483619+00:00", "vendors": ["samsung", "samsung$PRODUCT$galaxy_wearable", "samsung_mobile", "samsung_mobile$PRODUCT$galaxy_wearable"], "weaknesses": ["CWE-284"]}