Cyber Resilience

CVE-2026-20973

Medium

Published: 09 January 2026

Published
09 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0039 31.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-20973 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Samsung Android. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-20973 is an out-of-bounds read vulnerability (CWE-125) in the libimagecodec.quram.so library prior to SMR Jan-2026 Release 1. This flaw enables a remote attacker to access out-of-bounds memory. The vulnerability, published on 2026-01-09, carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and affects Samsung devices relying on this component.

A remote attacker can exploit the vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation allows access to out-of-bounds memory, resulting in low-impact confidentiality loss without affecting integrity or availability.

Samsung's January 2026 security advisory addresses the issue, recommending an update to SMR Jan-2026 Release 1 or later to mitigate the vulnerability. Additional details are available at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01.

EU & UK References

Vulnerability details

Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-20890Same product: Samsung Android
CVE-2026-20983Same product: Samsung Android
CVE-2026-20970Same product: Samsung Android
CVE-2026-20990Same product: Samsung Android
CVE-2026-21010Same product: Samsung Android
CVE-2026-20971Same product: Samsung Android
CVE-2025-20903Same product: Samsung Android
CVE-2025-20888Same product: Samsung Android
CVE-2025-20881Same product: Samsung Android
CVE-2026-20979Same product: Samsung Android

Affected Assets

samsung
android
13.0, 14.0, 15.0, 16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (SMR Jan-2026 Release 1) that eliminates the out-of-bounds read in libimagecodec.quram.so.

prevent

Enforces hardware or OS memory-protection mechanisms that can block or contain unauthorized out-of-bounds memory reads attempted via the vulnerable codec.

prevent

Requires validation of image inputs before they reach libimagecodec.quram.so, preventing malformed data from triggering the out-of-bounds read.

References