CVE-2026-21033 Overview
CVE-2026-21033 affects Samsung Assistant versions prior to 9.3.14. The vulnerability stems from improper export of an Android application component, specifically the ExpressHomeWidgetReceiver. A local attacker can leverage the exposed component to execute arbitrary script on the affected device. Samsung addressed the issue in its June 2026 mobile security maintenance release.
Critical Impact
A locally installed malicious application can invoke the exported ExpressHomeWidgetReceiver without privileges or user interaction, leading to arbitrary script execution within the context of Samsung Assistant.
Affected Products
- Samsung Assistant versions prior to 9.3.14
- Android devices with Samsung Assistant pre-installed or installed via Galaxy Store
- Samsung Galaxy ecosystem applications relying on the vulnerable widget receiver
Discovery Timeline
- 2026-06-05 - CVE-2026-21033 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-21033
Vulnerability Analysis
The vulnerability resides in ExpressHomeWidgetReceiver, a BroadcastReceiver component of the Samsung Assistant Android application. Android components declared in the manifest with android:exported="true" or with an intent-filter and no explicit access restriction become reachable by other applications on the device.
Samsung Assistant exposes ExpressHomeWidgetReceiver without the necessary permission guard or signature-level protection. As a result, any application installed on the same device can send a crafted intent to the receiver. The receiver then processes attacker-controlled data in a way that results in arbitrary script execution within the privileged context of Samsung Assistant.
Root Cause
The root cause is improper export of an Android application component, mapped to [NVD-CWE-noinfo] in the advisory. The receiver lacks proper access controls such as a signature-level permission, an android:permission attribute, or an explicit android:exported="false" declaration when no external invocation is required. Input received via the intent is not validated before being passed into a script execution path.
Attack Vector
Exploitation requires local access through a malicious application installed on the same device. No user interaction and no elevated privileges are required. The attacker app crafts an Intent targeting Samsung Assistant's ExpressHomeWidgetReceiver, embeds script payloads in the intent extras, and dispatches it via sendBroadcast(). Samsung Assistant then executes the supplied script with its own application privileges, allowing access to data and capabilities granted to Samsung Assistant. Refer to the Samsung Mobile Security Report for vendor details.
Detection Methods for CVE-2026-21033
Indicators of Compromise
- Installation of Samsung Assistant versions earlier than 9.3.14 on managed Android devices
- Unexpected broadcast intents targeting the com.samsung.android.app.assistant package and the ExpressHomeWidgetReceiver class
- Side-loaded or untrusted applications that enumerate or invoke Samsung Assistant components
- Anomalous script execution or outbound network activity originating from the Samsung Assistant process
Detection Strategies
- Inventory installed Android applications and flag devices running Samsung Assistant below 9.3.14
- Use mobile threat defense logs to identify apps that send broadcasts to Samsung system applications
- Review Android logcat or EMM telemetry for repeated invocations of ExpressHomeWidgetReceiver
Monitoring Recommendations
- Track Samsung Assistant version compliance through MDM or UEM reporting
- Monitor for installation of unverified APKs from outside Galaxy Store and Google Play
- Alert on Android applications requesting unusual QUERY_ALL_PACKAGES or component inspection behavior
How to Mitigate CVE-2026-21033
Immediate Actions Required
- Update Samsung Assistant to version 9.3.14 or later via Galaxy Store
- Enforce minimum Samsung Assistant version through MDM compliance policies
- Remove untrusted third-party applications, particularly those installed outside official stores
- Apply the June 2026 Samsung Mobile security maintenance release to managed devices
Patch Information
Samsung published the fix in the June 2026 Samsung Mobile Security Maintenance Release. The patched Samsung Assistant build is version 9.3.14. Full advisory details are available in the Samsung Mobile Security Report.
Workarounds
- Disable or uninstall Samsung Assistant on devices that cannot receive the update
- Restrict side-loading of applications and enforce Google Play Protect on managed devices
- Use Android Enterprise work profiles to isolate corporate data from vulnerable consumer apps
- Block installation of unknown sources through device policy until patched
# Verify Samsung Assistant version via ADB
adb shell dumpsys package com.samsung.android.app.assistant | grep versionName
# Enforce minimum version through MDM compliance rule (example)
# package: com.samsung.android.app.assistant
# minimum_version: 9.3.14
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
