Skip to main content

Samsung Escargot CVE-2026-58307

| EUVDEUVD-2026-42578 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-09 samsung.tv_appliance GHSA-7947-c2xp-c8w5
6.1
CVSS 3.1 · Vendor: samsung.tv_appliance
Share

Severity by source

Vendor (samsung.tv_appliance) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
vuln.today AI
6.1 MEDIUM

Local vector and user interaction required to feed crafted JS; no privilege needed; crash impact is high availability, integrity low from assertion side-effect, no confirmed data disclosure.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (samsung.tv_appliance).

CVSS VectorVendor: samsung.tv_appliance

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Patch available
Jul 09, 2026 - 12:16 EUVD
Analysis Generated
Jul 09, 2026 - 12:03 vuln.today

DescriptionCVE.org

Out-of-bounds read, Reachable assertion vulnerability in Samsung Open Source Escargot allows Overread Buffers, Input Data Manipulation.

This issue affects Escargot: before 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c.

AnalysisAI

Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious JavaScript input
Delivery
Deliver script to Escargot-embedded application
Exploit
Trigger out-of-bounds read in parser/executor
Execution
Hit reachable assertion
Impact
Crash Escargot process (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that a user or process on the local system execute a crafted JavaScript input through an application embedding the Escargot engine (UI:R, AV:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H presents a moderate, locally-scoped risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker supplies a specially crafted JavaScript file or input string to an application or embedded device that uses Escargot as its script engine. When a local user or automated process executes the malicious script, Escargot performs an out-of-bounds read that triggers a reachable assertion, crashing the interpreter process and causing a denial of service. …
Remediation Upstream fix available via GitHub pull request #1586 (https://github.com/Samsung/escargot/pull/1586); a released, tagged patched version is not independently confirmed from the available data - downstream consumers should verify whether a stable release incorporating commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c has been published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy