Skip to main content

Samsung Escargot CVE-2026-14160

| EUVDEUVD-2026-40248 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-30 samsung.tv_appliance GHSA-jpx9-q676-jrjx
5.9
CVSS 3.1 · Vendor: samsung.tv_appliance
Share

Severity by source

Vendor (samsung.tv_appliance) PRIMARY
5.9 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
4.9 MEDIUM

TOCTOU inherently requires winning a timing race, warranting AC:H; AV:L and PR:N retained as exploitation occurs via local JS execution without OS privileges.

3.1 AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung.tv_appliance).

CVSS VectorVendor: samsung.tv_appliance

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 03:12 vuln.today

DescriptionCVE.org

Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions.

This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d.

AnalysisAI

Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems - notably Samsung TV appliances - to local exploitation resulting in limited confidentiality, integrity, and availability impact. The flaw exists at a specific upstream commit (bab3a5797557014ce3c2e28419a6310cfba90d0d) and allows an attacker who can execute code in the same environment to exploit a timing window between a security check and the subsequent use of a resource. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local or app-level execution on Escargot host
Delivery
Submit race-triggering JavaScript payload
Exploit
Win timing window between security check and resource use
Execution
Bypass validation on shared resource
Persist
Read or modify restricted engine memory
Impact
Achieve partial information disclosure or integrity impact

Vulnerability AssessmentAI

Exploitation Exploitation requires local execution context on a system running the vulnerable Escargot JavaScript engine - either direct local access or the ability to supply JavaScript for the engine to evaluate (e.g., via a sideloaded or compromised TV application). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) yields a Medium score of 5.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker or a malicious application running on a Samsung TV appliance submits crafted JavaScript designed to repeatedly trigger the vulnerable code path and win the timing window between the security check and resource use. By racing the check-use sequence - for example, swapping an object or memory reference after validation but before consumption - the attacker achieves a limited read of protected data or corrupts engine state. …
Remediation Upstream fix available via GitHub commit 9e8084ecc2f68e8584d389414c3f37fda12dab7d at https://github.com/Samsung/escargot/commit/9e8084ecc2f68e8584d389414c3f37fda12dab7d; a released tagged version incorporating this fix has not been independently confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy