CVE-2026-21018

MEDIUM

Samsung Mobile Devices - Out-of-bounds Write in SveService

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-21018. PoCs published by Filipemendonca1978.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-21018, demonstrating a buffer overflow in Samsung's SveService. The PoC triggers a crash by sending maliciously crafted integer values to the service, bypassing input validation in the native library.

Description

Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.

Exploits (1)

github WORKING POC
by Filipemendonca1978 · javapoc
https://github.com/Filipemendonca1978/CVE-2026-21018

This repository contains a functional exploit for CVE-2026-21018, demonstrating a buffer overflow in Samsung's SveService. The PoC triggers a crash by sending maliciously crafted integer values to the service, bypassing input validation in the native library.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Samsung SveService (com.sec.sve) on Android 14, 15, 16
No auth needed
Prerequisites: Android device with affected SveService · ADB access
mistral-large-3 · analyzed Jun 23, 2026 Full analysis →

Scores

CVSS v3 6.7
EPSS 0.0015
EPSS Percentile 5.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-787
Status published
Products (1)
samsung/android 14.0 (50 CPE variants)
Published May 13, 2026
Tracked Since May 13, 2026