Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-20996

Summary
Assigner-SamsungMobile
Assigner Org ID-3af57064-a867-422c-b2ad-40307b65c458
Published At-16 Mar, 2026 | 04:32
Updated At-16 Mar, 2026 | 13:19
Rejected At-
Credits

Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SamsungMobile
Assigner Org ID:3af57064-a867-422c-b2ad-40307b65c458
Published At:16 Mar, 2026 | 04:32
Updated At:16 Mar, 2026 | 13:19
Rejected At:
▼CVE Numbering Authority (CNA)

Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication.

Affected Products
Vendor
Samsung ElectronicsSamsung Mobile
Product
Smart Switch
Default Status
affected
Versions
Unaffected
  • 3.7.69.15
Problem Types
TypeCWE IDDescription
N/AN/ACWE-327 Use of a Broken or Risky Cryptographic Algorithm
Type: N/A
CWE ID: N/A
Description: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03
N/A
Hyperlink: https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:mobile.security@samsung.com
Published At:16 Mar, 2026 | 14:18
Updated At:31 Mar, 2026 | 00:29

Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Samsung
samsung
>>smart_switch>>Versions before 3.7.69.15(exclusive)
cpe:2.3:a:samsung:smart_switch:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-327Primarynvd@nist.gov
CWE ID: CWE-327
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03mobile.security@samsung.com
Vendor Advisory
Hyperlink: https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03
Source: mobile.security@samsung.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

16Records found
CVE-2022-24924
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-2.2||LOW
EPSS-2.87% / 86.45%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-03 Aug, 2024 | 04:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-livewallpaperserviceLiveWallpaper
CWE ID-CWE-284
Improper Access Control
CVE-2022-23433
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 46.17%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-03 Aug, 2024 | 03:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely.

Action-Not Available
Vendor-Google LLCSamsungSamsung Electronics
Product-androidreminderReminder
CWE ID-CWE-284
Improper Access Control
CVE-2026-20999
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-7.1||HIGH
EPSS-0.16% / 35.98%
||
7 Day CHG+0.04%
Published-16 Mar, 2026 | 04:32
Updated-31 Mar, 2026 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Authentication bypass by replay in Smart Switch prior to version 3.7.69.15 allows remote attackers to trigger privileged functions.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-smart_switchSmart Switch
CWE ID-CWE-294
Authentication Bypass by Capture-replay
CVE-2026-20995
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 20.94%
||
7 Day CHG~0.00%
Published-16 Mar, 2026 | 04:32
Updated-31 Mar, 2026 | 00:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of sensitive functionality to an unauthorized actor in Smart Switch prior to version 3.7.69.15 allows remote attackers to set a specific configuration.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-smart_switchSmart Switch
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-20998
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-7.1||HIGH
EPSS-0.27% / 50.51%
||
7 Day CHG+0.07%
Published-16 Mar, 2026 | 04:32
Updated-31 Mar, 2026 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-smart_switchSmart Switch
CVE-2024-46919
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.59% / 69.35%
||
7 Day CHG~0.00%
Published-13 Jan, 2025 | 00:00
Updated-20 Jun, 2025 | 16:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Samsung Mobile Processor Exynos 9820, 9825, 980, 990, 850, 1080, 2100, and 1280. Lack of a length check leads to a stack out-of-bounds write at loadOutputBuffers.

Action-Not Available
Vendor-n/aSamsung
Product-exynos_850exynos_990_firmwareexynos_1080_firmwareexynos_1280_firmwareexynos_980exynos_980_firmwareexynos_9820exynos_9825exynos_990exynos_2100_firmwareexynos_1080exynos_1280exynos_850_firmwareexynos_9820_firmwareexynos_2100exynos_9825_firmwaren/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2021-25447
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 51.47%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:43
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-smartthingssmartthings_firmwareSmart Things
CWE ID-CWE-284
Improper Access Control
CVE-2021-25446
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 43.38%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:43
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause arbitrary webpage loading in webview.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-smartthingssmartthings_firmwareSmart Things
CWE ID-CWE-284
Improper Access Control
CVE-2021-25448
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 46.17%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:44
Updated-03 Aug, 2024 | 20:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in Smart Touch Call prior to version 1.0.0.5 allows arbitrary webpage loading in webview.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-smart_touch_callSmart Touch Call
CWE ID-CWE-284
Improper Access Control
CVE-2022-30715
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-4||MEDIUM
EPSS-0.06% / 17.12%
||
7 Day CHG~0.00%
Published-07 Jun, 2022 | 17:55
Updated-03 Aug, 2024 | 06:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control vulnerability in DofViewer prior to SMR Jun-2022 Release 1 allows attackers to control floating system alert window.

Action-Not Available
Vendor-Google LLCSamsung Electronics
Product-androidSamsung Mobile Devices
CWE ID-CWE-284
Improper Access Control
CVE-2023-21479
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-5.3||MEDIUM
EPSS-0.09% / 25.59%
||
7 Day CHG+0.02%
Published-03 Sep, 2025 | 05:17
Updated-28 Jan, 2026 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper authorization in Smart suggestions prior to SMR Apr-2023 Release 1 in Android 13 and 4.1.01.0 in Android 12 allows remote attackers to register a schedule.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-androidsmart_suggestionsSamsung Mobile Devices
CVE-2024-20829
Matching Score-8
Assigner-Samsung Mobile
ShareView Details
Matching Score-8
Assigner-Samsung Mobile
CVSS Score-5.4||MEDIUM
EPSS-0.13% / 31.84%
||
7 Day CHG~0.00%
Published-05 Mar, 2024 | 04:44
Updated-14 Feb, 2025 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing proper interaction for opening deeplink in Samsung Internet prior to version v24.0.0.0 allows remote attackers to open an application without proper interaction.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-internetSamsung Internet
CVE-2025-21062
Matching Score-6
Assigner-Samsung Mobile
ShareView Details
Matching Score-6
Assigner-Samsung Mobile
CVSS Score-7.8||HIGH
EPSS-0.01% / 0.75%
||
7 Day CHG~0.00%
Published-10 Oct, 2025 | 06:33
Updated-26 Feb, 2026 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.67.2 allows local attackers to replace the restoring application. User interaction is required for triggering this vulnerability.

Action-Not Available
Vendor-Samsung ElectronicsSamsung
Product-smart_switchSmart Switch
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2019-11341
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.6||MEDIUM
EPSS-0.02% / 4.23%
||
7 Day CHG~0.00%
Published-09 Oct, 2019 | 15:00
Updated-04 Aug, 2024 | 22:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

On certain Samsung P(9.0) phones, an attacker with physical access can start a TCP Dump capture without the user's knowledge. This feature of the Service Mode application is available after entering the *#9900# check code, but is protected by an OTP password. However, this password is created locally and (due to mishandling of cryptography) can be obtained easily by reversing the password creation logic.

Action-Not Available
Vendor-n/aGoogle LLCSamsung
Product-phoneandroidn/a
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2018-21058
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.08% / 23.34%
||
7 Day CHG~0.00%
Published-08 Apr, 2020 | 17:43
Updated-05 Aug, 2024 | 12:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered on Samsung mobile devices with N(7.0), O(8.0) (exynos7420 or Exynos 8890/8996 chipsets) software. Cache attacks can occur against the Keymaster AES-GCM implementation because T-Tables are used; the Cryptography Extension (CE) is not used. The Samsung ID is SVE-2018-12761 (September 2018).

Action-Not Available
Vendor-n/aGoogle LLCSamsung
Product-exynos_7420androidexynos_8996exynos_8890n/a
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
CVE-2020-36315
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 32.33%
||
7 Day CHG~0.00%
Published-07 Apr, 2021 | 20:10
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In RELIC before 2020-08-01, RSA PKCS#1 v1.5 signature forgery can occur because certain checks of the padding (and of the first two bytes) are inadequate. NOTE: this requires that a low public exponent (such as 3) is being used. The product, by default, does not generate RSA keys with such a low number.

Action-Not Available
Vendor-relic_projectn/a
Product-relicn/a
CWE ID-CWE-327
Use of a Broken or Risky Cryptographic Algorithm
Details not found