CVE-2026-20990

High

Published: 16 March 2026

Published

16 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 8.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20990 is a high-severity an unspecified weakness vulnerability in Samsung Android. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent local low-privilege attackers from launching arbitrary activities with Secure Folder privileges due to improper component exports.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like improper Android application component exports via security updates such as SMR Mar-2026 Release 1.

AC-6 Least Privilege partial match

prevent

Applies least privilege to restrict access to Secure Folder components, mitigating escalation from improperly exported activities.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Improper component export allows local low-privileged attackers to launch activities under Secure Folder context, directly enabling local privilege escalation to access protected data and functionality.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper export of android application components in Secure Folder prior to SMR Mar-2026 Release 1 allows local attackers to launch arbitrary activity with Secure Folder privilege.

Deeper analysisAI

CVE-2026-20990 involves improper export of Android application components in Secure Folder prior to SMR Mar-2026 Release 1 on affected Samsung devices. This vulnerability, published on 2026-03-16, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is categorized under NVD-CWE-Other.

Local attackers with low privileges can exploit this issue to launch arbitrary activities using Secure Folder privileges, potentially compromising high levels of confidentiality and integrity without impacting availability.

Samsung's security advisory at https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03 provides details on the March 2026 updates, with mitigation achieved by applying SMR Mar-2026 Release 1 or later.

Details

CWE(s): NVD-CWE-Other

Affected Products

samsung

android

14.0, 15.0, 16.0

CVEs Like This One

CVE-2025-20890Same product: Samsung Android

CVE-2025-20888Same product: Samsung Android

CVE-2026-20971Same product: Samsung Android

CVE-2026-20979Same product: Samsung Android

CVE-2026-20970Same product: Samsung Android

CVE-2025-20903Same product: Samsung Android

CVE-2026-20983Same product: Samsung Android

CVE-2026-21010Same product: Samsung Android

CVE-2025-20882Same product: Samsung Android

CVE-2025-20881Same product: Samsung Android

References

https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03
Vendor Advisory · mobile.security@samsung.com