Skip to main content

Samsung Escargot CVE-2026-47313

| EUVDEUVD-2026-30845 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-19 samsung.tv_appliance GHSA-mpg3-32g2-7qf5
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 08:32 vuln.today
Analysis Generated
May 19, 2026 - 08:32 vuln.today

DescriptionCVE.org

Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AnalysisAI

Excessive memory allocation in Samsung's Escargot JavaScript engine (commit 590345cc) triggers a denial-of-service condition via integer underflow in the TypedArray.prototype.copyWithin implementation, causing the engine to request a massive heap allocation and subsequently abort the process. Affected deployments include Samsung TV and appliance firmware that embeds Escargot as a scripting runtime. No public exploit code and no CISA KEV listing are present; EPSS data was not provided in available intelligence. Risk is bounded by the local attack vector and user interaction requirement in the CVSS vector.

Technical ContextAI

Escargot is Samsung's open-source C++ JavaScript engine (CPE: cpe:2.3:a:samsung_open_source:escargot:*:*:*:*:*:*:*:*) designed for embedded and IoT platforms including Samsung smart TVs and appliances. The root cause class is CWE-789 (Memory Allocation with Excessive Size Value). The vulnerable code path is in src/builtins/BuiltinTypedArray.cpp within builtinTypedArrayCopyWithin: when TypedArray.prototype.copyWithin coerces its index arguments, a JavaScript-level side effect (such as a valueOf or toString override) can resize the underlying ArrayBuffer during coercion. After the resize, the stored array length (len) is stale, causing expressions like len - startIndex or len - targetIndex to produce negative floating-point results. These negative values are then passed to std::min and ultimately cast to size_t (an unsigned integer type), wrapping to an astronomically large value. The resulting allocation request exhausts memory. The GitHub PR #1565 diff also reveals secondary fixes: a null-pointer dereference in EscargotPublic.cpp for nested eval-throw-finally edge cases, missing fast-mode array checks in ByteCodeInterpreter.cpp after setArrayLength, coercion ordering and re-coercion prevention in DataViewObject.h, and the addition of an OOM abort handler in Heap.cpp via GC_set_oom_fn - confirming that prior to this patch, out-of-memory conditions yielded undefined behavior rather than a clean abort.

RemediationAI

Upstream fix is available via GitHub pull request #1565 at https://github.com/Samsung/escargot/pull/1565; a released tagged version incorporating this fix is not independently confirmed from available data, so downstream consumers must monitor the Samsung Escargot repository for an official release. Organizations embedding Escargot directly should apply the PR diff - specifically the count clamping fix in src/builtins/BuiltinTypedArray.cpp (adding std::max(0.0, ...) around the min expression) and the OOM abort handler in src/heap/Heap.cpp. As a compensating control, restricting the installation or execution of untrusted third-party applications on Samsung smart TV and appliance platforms reduces exposure, though this limits legitimate app ecosystem functionality. Restricting access to Escargot-powered scripting interfaces in embedded deployments (e.g., disabling developer mode or sideloading capabilities) is a more targeted mitigation with lower functional impact. Enabling ASAN builds in QA/testing pipelines is now facilitated by the ASAN detection macros added in src/Escargot.h in the same PR, which can surface similar memory issues before production release.

CVE-2024-7399 HIGH POC
8.8 Aug 12

Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att

CVE-2025-4632 CRITICAL POC
9.8 May 13

Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary

CVE-2012-4333 CRITICAL POC
10.0 Aug 14

Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0

CVE-2017-16524 HIGH POC
8.8 Nov 06

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u

CVE-2015-8279 HIGH POC
8.6 Jan 15

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un

CVE-2017-17692 HIGH POC
7.5 Dec 21

Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat

CVE-2012-6429 CRITICAL POC
10.0 Apr 04

Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7

CVE-2012-4329 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart

CVE-2012-4330 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long

CVE-2012-4334 CRITICAL POC
10.0 Aug 14

The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v

CVE-2015-5473 CRITICAL
9.8 Jun 01

Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary

CVE-2012-4250 CRITICAL POC
9.3 Aug 13

Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls

Share

CVE-2026-47313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy