Skip to main content

Samsung Escargot CVE-2026-58304

| EUVDEUVD-2026-42572 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-09 samsung.tv_appliance GHSA-2f23-fgrf-4r2h
6.1
CVSS 3.1 · Vendor: samsung.tv_appliance
Share

Severity by source

Vendor (samsung.tv_appliance) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
6.6 MEDIUM

OOB read (CWE-125) plausibly leaks memory (C:L), overriding official C:N given the 'Information Disclosure' tag; local vector and user interaction confirmed.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung.tv_appliance).

CVSS VectorVendor: samsung.tv_appliance

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 12:16 EUVD
Analysis Generated
Jul 09, 2026 - 12:06 vuln.today

DescriptionCVE.org

Out-of-bounds read, Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.

This issue affects Escargot: before 779f6bedf58f334dec64b0a51ebb724b4708b84a.

AnalysisAI

Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Deliver crafted JavaScript to target device
Delivery
User triggers local script execution
Exploit
Escargot engine processes malicious input
Execution
Out-of-bounds read/write corrupts heap memory
Impact
Engine crash causes denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires local execution of crafted JavaScript content within the Escargot engine, as confirmed by the CVSS AV:L (local attack vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 scores this at 6.1 Medium with AV:L/AC:L/PR:N/UI:R - meaning local access and user interaction are both required, substantially reducing the real-world attack surface compared to a network-exploitable flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor crafts a malicious JavaScript file or application containing input specifically designed to trigger the out-of-bounds read or write condition within Escargot's parsing or execution path. When a user on a Samsung TV or IoT device runs or loads this content - for example, by launching a sideloaded app or interacting with crafted media - the engine processes the malicious script locally, resulting in memory corruption that crashes the JavaScript runtime or leaks adjacent heap memory. …
Remediation The upstream fix is available via GitHub pull request #1580 (https://github.com/Samsung/escargot/pull/1580), targeting commit 779f6bedf58f334dec64b0a51ebb724b4708b84a; however, a formal tagged release version incorporating this fix has not been independently confirmed from available data - platform integrators should verify against the upstream repository directly. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy