CVE-2025-20968

Published May 7, 2025

Last updated 3 months ago

CVSS high 7.2
Mobile device

Overview

Description
Improper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows remote attackers to access data and perform internal operations within Samsung Gallery.
Source
mobile.security@samsung.com
NVD status
Analyzed
Products
gallery

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. CVE-2025-20968 (CVSS:7.2, HIGH) is Awaiting Analysis. Improper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 1..https://t.co/8ZNB1xuXjY #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    12 May 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ๐Ÿšจ CVE-2025-20968 ๐Ÿ”ด HIGH (7.2) ๐Ÿข Samsung Mobile - Samsung Gallery ๐Ÿ—๏ธ 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 ๐Ÿ”— https://t.co/QugZO0worR #CyberCron #VulnAlert #InfoSec https://t.co/Q87D0PTBrF

    @cybercronai

    7 May 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to use consistent error responses when handling the /mute command which allows an authenticated team member to enumerate private channels they are not authorized to know about via differing error messages for nonexistent versus private channels. Mattermost Advisory ID: MMSA-2026-00588โ€ขCVE-2026-21386
  2. Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information.โ€ขCVE-2026-20993
  3. Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerabilityโ€ขCVE-2026-3910
  4. In multiple functions of MediaProvider.java, there is a possible external storage write permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.โ€ขCVE-2025-48579
  5. In multiple locations, there is a possible way to delete media without the MANAGE_EXTERNAL_STORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.โ€ขCVE-2025-48582

References

Sources include official advisories and independent security research.