Skip to main content

Samsung Escargot CVE-2026-58305

| EUVDEUVD-2026-42574 MEDIUM
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-07-09 samsung.tv_appliance GHSA-f5pv-4r42-w7j4
6.1
CVSS 3.1 · Vendor: samsung.tv_appliance
Share

Severity by source

Vendor (samsung.tv_appliance) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
6.1 MEDIUM

Local delivery of malicious JS requires user interaction; no privileges needed; availability high from crash, integrity low from pointer manipulation, no confidentiality impact per available data.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung.tv_appliance).

CVSS VectorVendor: samsung.tv_appliance

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 12:16 EUVD
Analysis Generated
Jul 09, 2026 - 12:05 vuln.today

DescriptionCVE.org

Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.

This issue affects Escargot: before 779f6bedf58f334dec64b0a51ebb724b4708b84a.

AnalysisAI

Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to high-impact availability disruption and limited integrity compromise when processing malicious JavaScript. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with particular relevance to Samsung embedded and smart appliance ecosystems where this engine is deployed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft type-confusing JavaScript payload
Delivery
Deliver script to target Escargot deployment
Exploit
User or process triggers script evaluation
Execution
Type confusion corrupts internal object pointer
Persist
Pointer manipulation causes memory corruption
Impact
Process crash (DoS) or limited memory write

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target system runs a version of Escargot prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a and that a user or process on that system evaluates attacker-controlled JavaScript input through the engine (UI:R per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.1 (Medium) reflects a local attack vector requiring user interaction, which materially constrains exploitability compared to network-reachable vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious JavaScript file that triggers a type confusion condition in Escargot's object handling - for example, by constructing an object whose internal type tag is manipulated to cause the engine to treat a pointer as an incompatible type. When a user or automated process on a Samsung appliance or embedded device evaluates this script via Escargot, the engine dereferences a manipulated pointer, causing a crash (high availability impact) or a controlled write to an unintended memory location (low integrity impact). …
Remediation The primary remediation is to update Escargot to a build incorporating commit 779f6bedf58f334dec64b0a51ebb724b4708b84a or later, as introduced in GitHub PR #1580 (https://github.com/Samsung/escargot/pull/1580). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy