Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Local vector with user interaction reflects JS engine processing user-supplied scripts; PR:N as no OS credentials needed; A:H for reliable crash, I:L for stack corruption, C:N as no data exposure.
Primary rating from Vendor (samsung.tv_appliance).
CVSS VectorVendor: samsung.tv_appliance
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Stack-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.
This issue affects Escargot: before b30b63fc63b403907d8137da1c65aaa4521fe74e.
AnalysisAI
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a device running Escargot and user interaction - specifically, a user or local process must actively supply or trigger execution of a malicious JavaScript payload through the Escargot engine. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.1 (Medium) is consistent with the constrained attack surface: AV:L limits exploitation to local context, AC:L indicates no special race conditions or configurations are needed once local access is achieved, and UI:R means passive or silent exploitation is not possible - a user or process must actively supply malicious JavaScript. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious JavaScript file containing input designed to overflow a stack buffer during Escargot's parsing or execution phase - for example, an abnormally large string, deeply nested object literal, or specially structured bytecode. The malicious script is delivered to a Samsung TV or appliance where Escargot processes it, either through a user-opened local file or an application that feeds external content to the engine. … |
| Remediation | The upstream fix is available via GitHub pull request #1585 (https://github.com/Samsung/escargot/pull/1585), which introduces the corrected code at commit b30b63fc63b403907d8137da1c65aaa4521fe74e. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault.0.0
Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.0.0.
Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a l
Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing mali
Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to hi
Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems -
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42571
GHSA-95xm-4789-hr5f