CVE-2026-21011 Overview
CVE-2026-21011 is an incorrect privilege assignment vulnerability [CWE-732] in the Bluetooth component of Samsung Android devices when operating in Maintenance mode. The flaw allows a physical attacker to bypass the Extend Unlock feature on affected devices. Samsung addressed the issue in the SMR Apr-2026 Release 1 security maintenance update.
The vulnerability affects Samsung Android versions 14.0, 15.0, and 16.0 prior to the April 2026 patch level. Exploitation requires physical access and user interaction, limiting the practical attack surface to scenarios where an attacker can handle the target device directly.
Critical Impact
A physical attacker can bypass Extend Unlock through the Bluetooth component in Maintenance mode, compromising the confidentiality, integrity, and availability of the user's device session.
Affected Products
- Samsung Android 14.0 (all SMR releases prior to Apr-2026 R1)
- Samsung Android 15.0 (all SMR releases prior to Apr-2026 R1)
- Samsung Android 16.0 (all SMR releases prior to Apr-2026 R1)
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-21011 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-21011
Vulnerability Analysis
The vulnerability is categorized as an Incorrect Permission Assignment for Critical Resource [CWE-732]. Samsung's Maintenance mode is designed to allow repair technicians to access a device without exposing the owner's personal data. In this isolated state, Bluetooth functionality retains privileges that should not be available to an unauthenticated session.
Extend Unlock (formerly Smart Lock) keeps a device unlocked when paired trusted Bluetooth devices are nearby. The flaw allows the Bluetooth component running under Maintenance mode to interact with Extend Unlock logic in a way that bypasses the lock screen. An attacker with physical possession can leverage this gap to gain access to the primary user profile without supplying credentials.
Root Cause
The root cause is improper privilege separation between the Maintenance mode user context and the Bluetooth subsystem. Maintenance mode should treat the device as if it were a fresh user environment, but the Bluetooth service retains trust associations or capabilities tied to the primary user. This creates an authorization boundary violation that Extend Unlock honors as a legitimate trust signal.
Attack Vector
The attack vector is physical (AV:P) and requires active user interaction (UI:A). An attacker must obtain the target device, enter Maintenance mode, and manipulate Bluetooth state to trigger the Extend Unlock bypass. Successful exploitation grants access to the unlocked primary user environment, exposing applications, messages, and stored credentials. No code execution is required — the bypass leverages legitimate platform features that fail to enforce the expected security boundary.
No public proof-of-concept code or exploitation in the wild has been reported. The EPSS exploitation probability remains low at the time of publication.
Detection Methods for CVE-2026-21011
Indicators of Compromise
- Unexpected entries into Maintenance mode on managed Samsung devices outside of authorized repair workflows.
- Bluetooth pairing or trust events recorded immediately before or during Maintenance mode sessions.
- Device unlock events that do not correspond to user-initiated authentication on the lock screen.
Detection Strategies
- Audit Mobile Device Management (MDM) logs for Maintenance mode activation events on enrolled Samsung Android devices.
- Correlate Bluetooth trust device additions with Extend Unlock state changes to identify anomalous trust establishment.
- Monitor for devices reporting an SMR patch level earlier than April 2026 (SMR Apr-2026 Release 1) across the fleet.
Monitoring Recommendations
- Enroll Samsung devices in an MDM solution that reports patch levels and lock screen configuration changes.
- Alert on Extend Unlock trusted-device list modifications, particularly when initiated outside of normal user activity windows.
- Track lost-or-stolen device reports against subsequent unlock and data-access telemetry to detect physical-access abuse.
How to Mitigate CVE-2026-21011
Immediate Actions Required
- Apply the Samsung SMR Apr-2026 Release 1 update on all affected Android 14.0, 15.0, and 16.0 devices.
- Disable the Extend Unlock feature on devices that cannot be patched immediately, especially those handling sensitive corporate data.
- Enforce strong screen lock policies (PIN, password, or biometrics) through MDM and require re-authentication after Bluetooth disconnects.
Patch Information
Samsung released the fix in the April 2026 Security Maintenance Release (SMR Apr-2026 Release 1). Patch availability and rollout timing vary by carrier, region, and device model. Refer to the Samsung Mobile Security Update advisory for the complete list of affected models and patch identifiers.
Workarounds
- Restrict physical access to corporate-issued Samsung devices and require check-in procedures for repair scenarios.
- Remove unnecessary trusted Bluetooth devices from Extend Unlock configurations to shrink the trust surface.
- Require Maintenance mode activation to be performed only by authorized IT staff and audit each use.
# Example MDM policy to disable trust agents (Extend Unlock) via Android Enterprise
# Set keyguardDisabledFeatures to disable trust agents on managed devices
adb shell dpm set-device-owner com.example.dpc/.AdminReceiver
# In the DPC, apply:
# DevicePolicyManager.setKeyguardDisabledFeatures(admin, KEYGUARD_DISABLE_TRUST_AGENTS)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

