Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
OOB read (CWE-125) plausibly leaks memory (C:L), overriding official C:N given the 'Information Disclosure' tag; local vector and user interaction confirmed.
Primary rating from Vendor (samsung.tv_appliance).
CVSS VectorVendor: samsung.tv_appliance
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Out-of-bounds read, Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.
This issue affects Escargot: before 779f6bedf58f334dec64b0a51ebb724b4708b84a.
AnalysisAI
Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local execution of crafted JavaScript content within the Escargot engine, as confirmed by the CVSS AV:L (local attack vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 scores this at 6.1 Medium with AV:L/AC:L/PR:N/UI:R - meaning local access and user interaction are both required, substantially reducing the real-world attack surface compared to a network-exploitable flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor crafts a malicious JavaScript file or application containing input specifically designed to trigger the out-of-bounds read or write condition within Escargot's parsing or execution path. When a user on a Samsung TV or IoT device runs or loads this content - for example, by launching a sideloaded app or interacting with crafted media - the engine processes the malicious script locally, resulting in memory corruption that crashes the JavaScript runtime or leaks adjacent heap memory. … |
| Remediation | The upstream fix is available via GitHub pull request #1580 (https://github.com/Samsung/escargot/pull/1580), targeting commit 779f6bedf58f334dec64b0a51ebb724b4708b84a; however, a formal tagged release version incorporating this fix has not been independently confirmed from available data - platform integrators should verify against the upstream repository directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault.0.0
Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.0.0.
Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a l
Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing mali
Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to hi
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corru
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems -
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42572
GHSA-2f23-fgrf-4r2h