{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21005", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.802Z", "datePublished": "2026-03-16T04:35:37.481Z", "dateUpdated": "2026-03-16T13:19:35.051Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Smart Switch", "versions": [{"status": "unaffected", "version": "3.7.69.15"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Path traversal in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to overwrite arbitrary files with Smart Switch privilege."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:35:37.481Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21005", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:14:04.210883Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:19:35.051Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21005", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:14:04.210883Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:15:45.613Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "ADJACENT", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Smart Switch", "versions": [{"status": "unaffected", "version": "3.7.69.15"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "descriptions": [{"lang": "en", "value": "Path traversal in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to overwrite arbitrary files with Smart Switch privilege."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:35:37.481Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21005", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:19:35.051Z", "dateReserved": "2025-12-11T01:33:35.802Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-03-16T04:35:37.481Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:smart_switch:*:*:*:*:*:*:*:*", "matchCriteriaId": "37A46437-F1AB-40DC-B7FC-77D3CE8047EE", "versionEndExcluding": "3.7.69.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Path traversal in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to overwrite arbitrary files with Smart Switch privilege."}, {"lang": "es", "value": "Salto de ruta en Smart Switch anterior a la versi\u00f3n 3.7.69.15 permite a atacantes adyacentes sobrescribir archivos arbitrarios con privilegios de Smart Switch."}], "id": "CVE-2026-21005", "lastModified": "2026-03-31T00:30:23.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:11.640", "references": [{"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "3.7.69.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7.69.15)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "Smart Switch", "source": "cna", "vendor": "Samsung Mobile"}, "product": "smart_switch", "vendor": "samsung"}], "analysis": {"en": {"generated_at": "2026-03-27T21:57:52.519828+00:00", "value": {"mitigation_remediation": ["Apply the latest Smart Switch update (v3.7.69.15 or newer).", "Verify the integrity of the updated Smart Switch binary and application directories."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Write"}, "threat_synthesis": {"affected_systems": "Any device running Samsung Mobile\u2019s Smart Switch software prior to version 3.7.69.15 is affected. No specific device models or OS versions were listed, so the vulnerability applies universally to all installations of the legacy Smart Switch releases. Upgrading to 3.7.69.15 or newer removes the flaw.", "description_and_impact": "A path traversal flaw in Samsung Mobile\u2019s Smart Switch application, present in versions before 3.7.69.15, allows an adjacent attacker to specify a file path that the application resolves outside its intended directory. By sending a specially crafted path, the attacker can overwrite any file on the device with the same privileges that Smart Switch runs under. This leads to the ability to replace critical system or application files, potentially creating a foothold for further compromise or disabling essential services.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 7.1, signifying a high severity. The EPSS score is under 1%, indicating that exploitation is currently unlikely, but the possibility remains. Attackers need local proximity\u2014such as physical access or a nearby network connection\u2014to exploit the issue. The flaw does not provide direct remote code execution, yet the capacity to overwrite arbitrary files can lead to significant loss of confidentiality, integrity, and availability if critical system or application files are targeted. The fact that the vulnerability is not listed in the CISA KEV catalog suggests no publicly available exploits are confirmed, yet the low EPSS does not eliminate future exploitation risk."}}}}, "created": "2026-03-17T09:55:03.527491+00:00", "title": "Path Traversal in Smart Switch Enabling Arbitrary File Overwrite", "updated": "2026-03-29T20:29:09.788613+00:00", "vendors": ["samsung", "samsung$PRODUCT$smart_switch"], "weaknesses": ["CWE-22", "CWE-284"]}