Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Local vector and user interaction required to feed malicious JS; no privileges needed; availability-dominant impact with no confidentiality exposure.
Primary rating from Vendor (samsung.tv_appliance).
CVSS VectorVendor: samsung.tv_appliance
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
1DescriptionCVE.org
Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.
This issue affects Escargot: before ef525f337fafddecde77a3c426212a84bb20cb98.
AnalysisAI
Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must supply malicious JavaScript input that is processed by the Escargot engine on the target device; this requires the user or system to actively execute or load the crafted script (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (Medium) reflects the constrained attack surface: local vector, no privilege requirement, but mandatory user interaction, no confidentiality impact, and an unchanged scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker delivers a crafted JavaScript file or payload to a device running the Escargot engine - for example, via a malicious third-party app or content page on a Samsung TV. When the device's Escargot runtime processes the script, the heap buffer overflow is triggered, corrupting adjacent heap memory and causing the JavaScript engine process to crash, resulting in denial of service of the affected application or feature. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault.0.0
Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.0.0.
Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a l
Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to hi
Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corru
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems -
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42575
GHSA-q26j-g249-rwxv