Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation.
This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
AnalysisAI
Denial-of-service in Samsung's Escargot JavaScript engine (commit 590345cc) stems from multiple unhandled exceptional conditions - including a null error-value dereference during nested eval/throw/finally sequences, integer underflow in TypedArray.copyWithin after runtime buffer resize, an unhandled out-of-memory condition in the garbage collector, and an invalid fast-mode array assertion during spread operations. Exploitation requires local access and user interaction (AV:L/UI:R per CVSS), crashing or aborting the Escargot runtime process. No public exploit code or CISA KEV listing exists at time of analysis; an upstream fix is available as GitHub PR #1565 but no tagged release version has been confirmed.
Technical ContextAI
Escargot (CPE: cpe:2.3:a:samsung_open_source:escargot:*:*:*:*:*:*:*:*) is a lightweight, embedded JavaScript engine developed by Samsung Open Source, primarily targeting resource-constrained environments such as Samsung smart TVs and appliances (consistent with the 'samsung.tv_appliance' reporter identifier). CWE-754 (Improper Check for Unusual or Exceptional Conditions) covers a class of bugs where the software does not adequately check for or handle exceptional runtime states. The PR diff reveals at least five distinct defects: (1) EscargotPublic.cpp dereferences an error value without first verifying hasValue(), exploitable via crafted nested eval-throw-finally patterns that trigger allocation during unwinding; (2) BuiltinTypedArray.cpp computes a count that can go negative after a resizable ArrayBuffer is modified during argument coercion, causing integer underflow when cast to size_t; (3) Heap.cpp lacked an OOM callback, allowing the GC allocator to silently fail; (4) ByteCodeInterpreter.cpp assumed arrays remain in fast mode after setArrayLength, an invalid invariant when length thresholds are exceeded during spread; (5) DataViewObject.h re-coerced a numeric value after buffer state changed, introducing a TOCTOU-style inconsistency. All defects share the CWE-754 root cause: missing guards for states that the engine's implicit invariants assumed could not occur.
RemediationAI
The upstream fix is available as GitHub PR #1565 (https://github.com/Samsung/escargot/pull/1565), which patches all five identified defects across EscargotPublic.cpp, BuiltinTypedArray.cpp, Heap.cpp, ByteCodeInterpreter.cpp, DataViewObject.h, and FinalizationRegistryObject.cpp. A patched tagged release version has not been independently confirmed - this is a PR/commit-level fix, not a versioned release. Consumers of Escargot as a library should build from a commit after this PR is merged and verify the fix is included. For embedded platform operators (Samsung TV/appliance firmware), apply the OEM firmware update once Samsung releases a patched build incorporating this fix. As a compensating control where patching is not immediately possible, restricting the source and content of JavaScript processed by the Escargot runtime - for example, disabling execution of third-party or untrusted scripts - reduces crash exposure, though this may limit platform functionality. Enabling AddressSanitizer (ASAN) builds for testing environments is now natively supported by the PR's new ASAN detection macros and can help detect further memory-safety edge cases before production deployment.
Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att
Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat
Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7
The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart
The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long
The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v
Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary
Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30847
GHSA-4q76-r9jm-m677