CVE-2026-25204 - Vulnerability Details

- Denial of Service via Untrusted Data Deserialization in Samsung Escargot

Description

Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.

This issue affects escarogt prior to commit hash

97e8115ab1110bc502b4b5e4a0c689a71520d335

Published: 2026-04-13

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the Samsung Open Source Escargot JavaScript engine that allows untrusted serialized data to be processed without sufficient validation. Deserialization of such data can provoke a process abort, effectively halting the engine and causing a denial of service to any application that relies on it. The weakness is rooted in unsafe deserialization practices and improper type handling, as indicated by the associated CWEs.

Affected Systems

The affected product is the Samsung Open Source Escargot JavaScript engine. All releases prior to the code change identified by commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335 are vulnerable; versions containing this commit or later are considered safe.

Risk and Exploitability

With a CVSS score of 6.2 the vulnerability is classified as medium severity. The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit this weakness by delivering maliciously crafted serialized data to Escargot—potentially through web content, script files, or other mechanisms that trigger the engine. The effect is limited to service disruption, with no direct path to data exposure or privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Samsung Open Source

Escargot

unaffected

Version	Status	Constraints
`97e8115ab1110bc502b4b5e4a0c689a71520d335`	affected	—

No data.

Vendor Product Confidence Versions

Samsung Open Source

Escargot

100%

Version	Status	Scheme	Platform
`97e8115ab1110bc502b4b5e4a0c689a71520d335`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Escargot to a revision that includes commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 or later.
If an immediate update is not possible, isolate or sandbox applications that employ Escargot to process external or untrusted JavaScript data, and enforce strict input validation before the deserialization step.
Monitor system logs for unexpected process abort events and investigate any related anomalies.

Generated by OpenCVE AI on April 13, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/Samsung/escargot/pull/1554

History

Mon, 13 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via Untrusted Data Deserialization in Samsung Escargot

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Samsung Open Source Samsung Open Source escargot
Vendors & Products		Samsung Open Source Samsung Open Source escargot

Mon, 13 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of untrusted data vulnerability in Samsung Open Source Escarogt Java Script allows denial of service condition via process abort. This issue affects escarogt prior to commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335	Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort. This issue affects escarogt prior to commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335

Mon, 13 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of untrusted data vulnerability in Samsung Open Source Escarogt Java Script allows denial of service condition via process abort. This issue affects escarogt prior to commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335
Weaknesses		CWE-502 CWE-843
References		https://github.com/Samsung/escargot/pull/1554
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Samsung Open Source Escargot

MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published: 2026-04-13T00:47:31.806Z

Updated: 2026-04-14T07:45:27.372Z

Reserved: 2026-01-30T06:07:11.090Z

Link: CVE-2026-25204

Vulnrichment

Updated: 2026-04-13T17:58:04.251Z

NVD

Status : Awaiting Analysis

Published: 2026-04-13T01:16:35.313

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-25204

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T12:53:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object