CVE-2026-20990 Overview
CVE-2026-20990 affects Samsung Android devices through an improper export of Android application components in Secure Folder. A local attacker can launch arbitrary activities with Secure Folder privileges, bypassing the isolation boundary that Secure Folder is designed to enforce. Samsung addressed the issue in the SMR Mar-2026 Release 1 security maintenance update.
Secure Folder is a Samsung Knox-backed container used to isolate sensitive applications and data from the main user profile. A flaw allowing arbitrary activity launch with container privileges undermines the data segregation guarantee on which users rely.
Critical Impact
Local attackers with low privileges can launch arbitrary activities inside Secure Folder, gaining access to a security boundary that protects sensitive user data on affected Samsung Android devices.
Affected Products
- Samsung Android 14.0 (prior to SMR Mar-2026 Release 1)
- Samsung Android 15.0 (prior to SMR Mar-2026 Release 1)
- Samsung Android 16.0 (prior to SMR Mar-2026 Release 1)
Discovery Timeline
- 2026-03-16 - CVE-2026-20990 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-20990
Vulnerability Analysis
The vulnerability stems from improperly exported Android application components within Secure Folder. Android applications declare components such as activities, services, and broadcast receivers in their manifest. Components marked as exported, or implicitly exported through intent filters, are reachable by other applications on the device.
In this case, one or more Secure Folder components are exported in a way that permits unauthorized external invocation. A local attacker can craft an intent targeting these components and trigger activity launches that should be restricted to the Secure Folder context. The result is execution within a privileged container without the user authentication normally required to enter Secure Folder.
The issue is classified as a mobile intent redirection and improper access control flaw [NVD-CWE-Other]. Exploitation requires local access and low privileges, with no user interaction. The confidentiality and integrity impact on the vulnerable component are both high.
Root Cause
The root cause is an Android component export misconfiguration in the Secure Folder application. Components that should be private to the container, or guarded by signature-level permissions, are reachable from outside the container. The result is that activity intents originating from a less-privileged process are accepted and dispatched inside the Secure Folder security domain.
Attack Vector
The attack vector is local. A malicious application installed in the primary user profile, or a local attacker with shell access, constructs an intent referencing the affected Secure Folder component. Invoking the component triggers an activity launch under Secure Folder privileges, exposing functionality and data that Samsung Knox isolation is designed to protect.
No verified public proof-of-concept code is available for this vulnerability. Refer to the Samsung Mobile Security Update for vendor technical details.
Detection Methods for CVE-2026-20990
Indicators of Compromise
- Unexpected activity launches associated with the Secure Folder package on devices that have not been unlocked by the user.
- Installation of unknown third-party applications shortly before unauthorized access to Secure Folder content is observed.
- Mobile threat defense logs showing intents targeting Secure Folder components from non-system callers.
Detection Strategies
- Inventory Samsung Android fleet build numbers and flag devices running a security patch level earlier than SMR Mar-2026 Release 1.
- Use mobile device management (MDM) telemetry to identify sideloaded applications that request QUERY_ALL_PACKAGES or interact with Samsung Knox container components.
- Review application install logs for apps requesting intents or component access tied to the Secure Folder package namespace.
Monitoring Recommendations
- Enforce MDM compliance policies that report Samsung security patch level on every check-in and quarantine devices below SMR Mar-2026 Release 1.
- Monitor user reports of Secure Folder content appearing without authentication prompts, which may indicate exploitation.
- Alert on installation of applications from unknown sources on managed Samsung devices.
How to Mitigate CVE-2026-20990
Immediate Actions Required
- Install the Samsung SMR Mar-2026 Release 1 security update on all affected Samsung Android 14, 15, and 16 devices.
- Restrict installation of applications from unknown sources via MDM policy on Samsung Android fleets.
- Audit existing applications on user devices and remove those that are unverified or unnecessary.
Patch Information
Samsung published the fix in the SMR Mar-2026 Release 1 maintenance release. Details and the list of patched CVEs are available in the Samsung Mobile Security Update advisory. Apply firmware updates through Settings > Software update or push the update through enterprise MDM.
Workarounds
- Disable Secure Folder on devices where it is not in use until the SMR Mar-2026 Release 1 update is installed.
- Avoid storing highly sensitive data in Secure Folder on unpatched devices.
- Use MDM to enforce application allow-listing and block installation of untrusted local applications that could invoke Secure Folder components.
# Check Samsung security patch level via ADB
adb shell getprop ro.build.version.security_patch
# Verify the Samsung-specific SMR build identifier
adb shell getprop ro.build.version.sem
adb shell getprop ro.build.PDA
# List installed packages to audit for untrusted apps
adb shell pm list packages -3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
