A heap‑based buffer overflow in Samsung Open Source Escargot permits an out‑of‑bounds write that could lead to arbitrary code execution or a denial of service. This vulnerability stems from improper bounds checking when handling input data in the engine, allowing malicious content to corrupt memory and potentially overwrite executable code or pointers. The official CWE identifier for this weakness is CWE‑122, which describes heap buffer overflows that may compromise software integrity and availability.

The issue impacts the Escargot JavaScript engine provided by Samsung Open Source. Vulnerable versions include the code snapshot identified by the commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335, as referenced in the GitHub pull request. Administrators should verify whether their deployment uses this commit or an earlier, unpatched state.

The CVSS score of 7.4 reflects a high severity risk, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need to supply crafted input to the affected component, most likely via local interaction or possibly through remote input if the engine processes externally sourced scripts. The lack of an EPSS score provides limited insight into the real‑world exploitation probability, but the high CVSS indicates a significant potential impact if exploited.