CVE-2026-20973
Published: 09 January 2026
Summary
CVE-2026-20973 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Samsung Android. Its CVSS base score is 5.3 (Medium).
Operationally, ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-20973 is an out-of-bounds read vulnerability (CWE-125) in the libimagecodec.quram.so library prior to SMR Jan-2026 Release 1. This flaw enables a remote attacker to access out-of-bounds memory. The vulnerability, published on 2026-01-09, carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and affects Samsung devices relying on this component.
A remote attacker can exploit the vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation allows access to out-of-bounds memory, resulting in low-impact confidentiality loss without affecting integrity or availability.
Samsung's January 2026 security advisory addresses the issue, recommending an update to SMR Jan-2026 Release 1 or later to mitigate the vulnerability. Additional details are available at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=01.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1795
Vulnerability details
Out-of-bounds read in libimagecodec.quram.so prior to SMR Jan-2026 Release 1 allows remote attacker to access out-of-bounds memory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (SMR Jan-2026 Release 1) that eliminates the out-of-bounds read in libimagecodec.quram.so.
Enforces hardware or OS memory-protection mechanisms that can block or contain unauthorized out-of-bounds memory reads attempted via the vulnerable codec.
Requires validation of image inputs before they reach libimagecodec.quram.so, preventing malformed data from triggering the out-of-bounds read.