CVE-2026-20990 is a vulnerability identified in Samsung Mobile devices affecting the Secure Folder feature, which is designed to isolate and protect sensitive applications and data. The issue arises from improper export of Android application components within Secure Folder prior to the SMR March 2026 Release 1 update. Specifically, certain components that should not be externally accessible are mistakenly exported, allowing a local attacker with limited privileges (PR:L) to launch arbitrary activities inside Secure Folder without requiring user interaction or elevated privileges. This improper export violates secure component encapsulation principles, categorized under CWE-926 (Improper Export of Android Application Components). The vulnerability has a CVSS 4.0 base score of 8.4, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required beyond limited local access, no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H). The scope is limited to the local device, and availability impact is low. Although no known exploits are reported in the wild, the flaw could enable attackers to bypass Secure Folder protections, potentially accessing or manipulating sensitive data and applications isolated within this environment. The vulnerability affects Samsung Mobile devices running Secure Folder versions prior to the March 2026 security maintenance release, though exact affected versions are unspecified. The flaw highlights the importance of strict component export controls in Android application security, especially for security-critical features like Secure Folder.

The vulnerability allows local attackers to bypass Secure Folder protections by launching arbitrary activities with Secure Folder privileges. This can lead to unauthorized access to sensitive data and applications isolated within Secure Folder, compromising confidentiality and integrity. Organizations relying on Samsung Mobile devices for secure data storage and application isolation may face data breaches, unauthorized data manipulation, and potential lateral movement within the device. The impact is particularly significant for enterprises and government entities using Secure Folder to protect sensitive information. Although exploitation requires local access, the ease of launching arbitrary activities without user interaction or elevated privileges increases risk from insider threats or malware that gains limited local foothold. The vulnerability could undermine trust in Samsung's mobile security features and lead to reputational damage and compliance issues for affected organizations.

1. Apply the SMR March 2026 Release 1 update from Samsung Mobile as soon as it becomes available to patch the vulnerability. 2. Enforce strict local device access controls, including strong authentication and device encryption, to prevent unauthorized local access. 3. Limit installation of untrusted applications and monitor for suspicious local activity that could attempt to exploit this vulnerability. 4. Employ mobile device management (MDM) solutions to enforce security policies and restrict access to Secure Folder features. 5. Educate users about the risks of local device compromise and encourage secure device usage practices. 6. Conduct regular security audits and penetration testing focused on Secure Folder and related components to detect improper exports or privilege escalations. 7. Monitor Samsung security advisories for any updates or additional patches related to this vulnerability.