Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Local delivery of malicious JS requires user interaction; no privileges needed; availability high from crash, integrity low from pointer manipulation, no confidentiality impact per available data.
Primary rating from Vendor (samsung.tv_appliance).
CVSS VectorVendor: samsung.tv_appliance
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.
This issue affects Escargot: before 779f6bedf58f334dec64b0a51ebb724b4708b84a.
AnalysisAI
Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to high-impact availability disruption and limited integrity compromise when processing malicious JavaScript. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with particular relevance to Samsung embedded and smart appliance ecosystems where this engine is deployed. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target system runs a version of Escargot prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a and that a user or process on that system evaluates attacker-controlled JavaScript input through the engine (UI:R per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 6.1 (Medium) reflects a local attack vector requiring user interaction, which materially constrains exploitability compared to network-reachable vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious JavaScript file that triggers a type confusion condition in Escargot's object handling - for example, by constructing an object whose internal type tag is manipulated to cause the engine to treat a pointer as an incompatible type. When a user or automated process on a Samsung appliance or embedded device evaluates this script via Escargot, the engine dereferences a manipulated pointer, causing a crash (high availability impact) or a controlled write to an unintended memory location (low integrity impact). … |
| Remediation | The primary remediation is to update Escargot to a build incorporating commit 779f6bedf58f334dec64b0a51ebb724b4708b84a or later, as introduced in GitHub PR #1580 (https://github.com/Samsung/escargot/pull/1580). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault.0.0
Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.0.0.
Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a l
Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing mali
Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corru
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems -
Same technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42574
GHSA-f5pv-4r42-w7j4