Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21033

CVE-2026-21033: Samsung Assistant RCE Vulnerability

CVE-2026-21033 is a remote code execution flaw in Samsung Assistant that allows local attackers to execute arbitrary scripts via improper component export. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-21033 Overview

CVE-2026-21033 affects Samsung Assistant versions prior to 9.3.14. The vulnerability stems from improper export of an Android application component, specifically the ExpressHomeWidgetReceiver. A local attacker can leverage the exposed component to execute arbitrary script on the affected device. Samsung addressed the issue in its June 2026 mobile security maintenance release.

Critical Impact

A locally installed malicious application can invoke the exported ExpressHomeWidgetReceiver without privileges or user interaction, leading to arbitrary script execution within the context of Samsung Assistant.

Affected Products

  • Samsung Assistant versions prior to 9.3.14
  • Android devices with Samsung Assistant pre-installed or installed via Galaxy Store
  • Samsung Galaxy ecosystem applications relying on the vulnerable widget receiver

Discovery Timeline

  • 2026-06-05 - CVE-2026-21033 published to NVD
  • 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2026-21033

Vulnerability Analysis

The vulnerability resides in ExpressHomeWidgetReceiver, a BroadcastReceiver component of the Samsung Assistant Android application. Android components declared in the manifest with android:exported="true" or with an intent-filter and no explicit access restriction become reachable by other applications on the device.

Samsung Assistant exposes ExpressHomeWidgetReceiver without the necessary permission guard or signature-level protection. As a result, any application installed on the same device can send a crafted intent to the receiver. The receiver then processes attacker-controlled data in a way that results in arbitrary script execution within the privileged context of Samsung Assistant.

Root Cause

The root cause is improper export of an Android application component, mapped to [NVD-CWE-noinfo] in the advisory. The receiver lacks proper access controls such as a signature-level permission, an android:permission attribute, or an explicit android:exported="false" declaration when no external invocation is required. Input received via the intent is not validated before being passed into a script execution path.

Attack Vector

Exploitation requires local access through a malicious application installed on the same device. No user interaction and no elevated privileges are required. The attacker app crafts an Intent targeting Samsung Assistant's ExpressHomeWidgetReceiver, embeds script payloads in the intent extras, and dispatches it via sendBroadcast(). Samsung Assistant then executes the supplied script with its own application privileges, allowing access to data and capabilities granted to Samsung Assistant. Refer to the Samsung Mobile Security Report for vendor details.

Detection Methods for CVE-2026-21033

Indicators of Compromise

  • Installation of Samsung Assistant versions earlier than 9.3.14 on managed Android devices
  • Unexpected broadcast intents targeting the com.samsung.android.app.assistant package and the ExpressHomeWidgetReceiver class
  • Side-loaded or untrusted applications that enumerate or invoke Samsung Assistant components
  • Anomalous script execution or outbound network activity originating from the Samsung Assistant process

Detection Strategies

  • Inventory installed Android applications and flag devices running Samsung Assistant below 9.3.14
  • Use mobile threat defense logs to identify apps that send broadcasts to Samsung system applications
  • Review Android logcat or EMM telemetry for repeated invocations of ExpressHomeWidgetReceiver

Monitoring Recommendations

  • Track Samsung Assistant version compliance through MDM or UEM reporting
  • Monitor for installation of unverified APKs from outside Galaxy Store and Google Play
  • Alert on Android applications requesting unusual QUERY_ALL_PACKAGES or component inspection behavior

How to Mitigate CVE-2026-21033

Immediate Actions Required

  • Update Samsung Assistant to version 9.3.14 or later via Galaxy Store
  • Enforce minimum Samsung Assistant version through MDM compliance policies
  • Remove untrusted third-party applications, particularly those installed outside official stores
  • Apply the June 2026 Samsung Mobile security maintenance release to managed devices

Patch Information

Samsung published the fix in the June 2026 Samsung Mobile Security Maintenance Release. The patched Samsung Assistant build is version 9.3.14. Full advisory details are available in the Samsung Mobile Security Report.

Workarounds

  • Disable or uninstall Samsung Assistant on devices that cannot receive the update
  • Restrict side-loading of applications and enforce Google Play Protect on managed devices
  • Use Android Enterprise work profiles to isolate corporate data from vulnerable consumer apps
  • Block installation of unknown sources through device policy until patched
bash
# Verify Samsung Assistant version via ADB
adb shell dumpsys package com.samsung.android.app.assistant | grep versionName

# Enforce minimum version through MDM compliance rule (example)
# package: com.samsung.android.app.assistant
# minimum_version: 9.3.14

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne