Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Local vector and user interaction required to feed crafted JS; no privilege needed; crash impact is high availability, integrity low from assertion side-effect, no confirmed data disclosure.
Primary rating from Vendor (samsung.tv_appliance).
CVSS VectorVendor: samsung.tv_appliance
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Out-of-bounds read, Reachable assertion vulnerability in Samsung Open Source Escargot allows Overread Buffers, Input Data Manipulation.
This issue affects Escargot: before 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c.
AnalysisAI
Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a user or process on the local system execute a crafted JavaScript input through an application embedding the Escargot engine (UI:R, AV:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (Medium) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H presents a moderate, locally-scoped risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker supplies a specially crafted JavaScript file or input string to an application or embedded device that uses Escargot as its script engine. When a local user or automated process executes the malicious script, Escargot performs an out-of-bounds read that triggers a reachable assertion, crashing the interpreter process and causing a denial of service. … |
| Remediation | Upstream fix available via GitHub pull request #1586 (https://github.com/Samsung/escargot/pull/1586); a released, tagged patched version is not independently confirmed from the available data - downstream consumers should verify whether a stable release incorporating commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c has been published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Improper input validation vulnerability in Samsung Open Source Escargot allows stack overflow and segmentation fault.0.0
Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.0.0.
Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing mali
Type confusion (CWE-843) in Samsung's open-source Escargot JavaScript engine enables pointer manipulation, leading to hi
Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corru
Time-of-check time-of-use (TOCTOU) race condition in Samsung's open-source Escargot JavaScript engine exposes systems -
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42578
GHSA-7947-c2xp-c8w5