This vulnerability (CVE-2026-21020) concerns the improper export of Android application components within the OmaCP module on Samsung Mobile Devices before the SMR May-2026 Release 1. Improper export means that components intended to be private or restricted are accessible to local attackers, who can then invoke privileged functions that should be protected. The CVSS 4.0 vector indicates the attack requires local access with low complexity and no privileges or user interaction, and the impact affects confidentiality, integrity, and availability at a low level. No patch or official remediation guidance has been provided by Samsung Mobile as of the publication date.

The vulnerability allows local attackers to access and trigger privileged functions on affected Samsung Mobile Devices, potentially leading to unauthorized actions or information disclosure at a limited level. The CVSS score of 5.1 reflects a medium severity impact with local attack vector and low complexity, but no known exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or remediation level is provided, users should monitor Samsung Mobile advisories for updates and apply the SMR May-2026 Release 1 or later once available to address this issue.