Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation.
This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
AnalysisAI
Excessive memory allocation in Samsung's Escargot JavaScript engine (commit 590345cc) triggers a denial-of-service condition via integer underflow in the TypedArray.prototype.copyWithin implementation, causing the engine to request a massive heap allocation and subsequently abort the process. Affected deployments include Samsung TV and appliance firmware that embeds Escargot as a scripting runtime. No public exploit code and no CISA KEV listing are present; EPSS data was not provided in available intelligence. Risk is bounded by the local attack vector and user interaction requirement in the CVSS vector.
Technical ContextAI
Escargot is Samsung's open-source C++ JavaScript engine (CPE: cpe:2.3:a:samsung_open_source:escargot:*:*:*:*:*:*:*:*) designed for embedded and IoT platforms including Samsung smart TVs and appliances. The root cause class is CWE-789 (Memory Allocation with Excessive Size Value). The vulnerable code path is in src/builtins/BuiltinTypedArray.cpp within builtinTypedArrayCopyWithin: when TypedArray.prototype.copyWithin coerces its index arguments, a JavaScript-level side effect (such as a valueOf or toString override) can resize the underlying ArrayBuffer during coercion. After the resize, the stored array length (len) is stale, causing expressions like len - startIndex or len - targetIndex to produce negative floating-point results. These negative values are then passed to std::min and ultimately cast to size_t (an unsigned integer type), wrapping to an astronomically large value. The resulting allocation request exhausts memory. The GitHub PR #1565 diff also reveals secondary fixes: a null-pointer dereference in EscargotPublic.cpp for nested eval-throw-finally edge cases, missing fast-mode array checks in ByteCodeInterpreter.cpp after setArrayLength, coercion ordering and re-coercion prevention in DataViewObject.h, and the addition of an OOM abort handler in Heap.cpp via GC_set_oom_fn - confirming that prior to this patch, out-of-memory conditions yielded undefined behavior rather than a clean abort.
RemediationAI
Upstream fix is available via GitHub pull request #1565 at https://github.com/Samsung/escargot/pull/1565; a released tagged version incorporating this fix is not independently confirmed from available data, so downstream consumers must monitor the Samsung Escargot repository for an official release. Organizations embedding Escargot directly should apply the PR diff - specifically the count clamping fix in src/builtins/BuiltinTypedArray.cpp (adding std::max(0.0, ...) around the min expression) and the OOM abort handler in src/heap/Heap.cpp. As a compensating control, restricting the installation or execution of untrusted third-party applications on Samsung smart TV and appliance platforms reduces exposure, though this limits legitimate app ecosystem functionality. Restricting access to Escargot-powered scripting interfaces in embedded deployments (e.g., disabling developer mode or sideloading capabilities) is a more targeted mitigation with lower functional impact. Enabling ASAN builds in QA/testing pipelines is now facilitated by the ASAN detection macros added in src/Escargot.h in the same PR, which can surface similar memory issues before production release.
Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att
Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat
Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7
The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart
The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long
The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v
Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary
Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30845
GHSA-mpg3-32g2-7qf5