The vulnerability is a time‑of‑check time‑of‑use race condition that can allow an attacker to influence Escargot’s internal state or behavior. The specific impact is not detailed in the advisory, but the flaw introduces a window where concurrent operations can interact with stale or incorrect data, potentially leading to corrupted execution or privilege abuse. The weakness is classified as CWE‑367.

The affected product is Samsung’s open‑source JavaScript engine Escargot, as identified in the commit hash bab3a5797557014ce3c2e28419a6310cfba90d0d. No explicit version numbers are provided, so all builds incorporating this code are considered vulnerable until a patch is released.

With a CVSS score of 5.9, the vulnerability has a moderate impact. The EPSS score is not available, and Escargot is not listed in the CISA KEV catalog. The attack vector is inferred to be local or through concurrent execution contexts within Escargot, as the flaw arises during race conditions between check and use phases. Exploitation would likely require the ability to trigger parallel operations or influence process scheduling, making it more suitable for a privileged local attacker or for a supply‑chain scenario where code is run in a compromised environment.