Skip to main content

Samsung Escargot CVE-2026-58306

| EUVDEUVD-2026-42575 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-07-09 samsung.tv_appliance GHSA-q26j-g249-rwxv
6.1
CVSS 3.1 · Vendor: samsung.tv_appliance
Share

Severity by source

Vendor (samsung.tv_appliance) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
6.1 MEDIUM

Local vector and user interaction required to feed malicious JS; no privileges needed; availability-dominant impact with no confidentiality exposure.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung.tv_appliance).

CVSS VectorVendor: samsung.tv_appliance

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 12:04 vuln.today

DescriptionCVE.org

Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.

This issue affects Escargot: before ef525f337fafddecde77a3c426212a84bb20cb98.

AnalysisAI

Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious JavaScript payload
Delivery
Deliver payload to target Escargot-enabled device
Exploit
User or system loads and executes script
Execution
Heap buffer overflow triggered in engine
Persist
Heap memory corruption
Impact
Application or JS runtime crash (DoS)

Vulnerability AssessmentAI

Exploitation The attacker must supply malicious JavaScript input that is processed by the Escargot engine on the target device; this requires the user or system to actively execute or load the crafted script (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) reflects the constrained attack surface: local vector, no privilege requirement, but mandatory user interaction, no confidentiality impact, and an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker delivers a crafted JavaScript file or payload to a device running the Escargot engine - for example, via a malicious third-party app or content page on a Samsung TV. When the device's Escargot runtime processes the script, the heap buffer overflow is triggered, corrupting adjacent heap memory and causing the JavaScript engine process to crash, resulting in denial of service of the affected application or feature. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy