Description
Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary pointer manipulation
Action: Apply Patch
AI Analysis

Impact

Escargot contains a type confusion flaw that allows the creation of pointers when an object of an incompatible type is accessed. This vulnerability (CWE‑843) provides the attacker with the ability to manipulate memory addresses arbitrarily. If successfully exploited, it could lead to memory corruption, arbitrary code execution, or privilege escalation within the process that runs Escargot.

Affected Systems

The affected product is Samsung Open Source Escargot, a JavaScript engine used in Samsung devices and applications. The flaw was present in the code base at commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 and later fixed by the merged pull request noted in the official reference.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium‑severity vulnerability. Exploitation likely requires execution of untrusted JavaScript within Escargot, suggesting a local or remote code execution vector through scripting or loading of malicious scripts. No EPSS data or KEV listing is available, so the current attack likelihood cannot be precisely quantified, but the vulnerability could be leveraged by attackers with access to code execution environments that depend on Escargot.

Generated by OpenCVE AI on April 13, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Samsung Escargot to the latest commit that includes the security fix, such as the version after 97e8115ab1110bc502b4b5e4a0c689a71520d335.
  • If an immediate upgrade is not feasible, isolate the Escargot runtime from untrusted input and enforce strict sandboxing.
  • Monitor Samsung's GitHub repository or vendor announcements for patch releases and apply them promptly.

Generated by OpenCVE AI on April 13, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Arbitrary Pointer Manipulation via Type Confusion in Escargot

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Open Source
Samsung Open Source escargot
Vendors & Products Samsung Open Source
Samsung Open Source escargot

Mon, 13 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H'}

 cvssV3_1

{'score': 6.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H'}

Mon, 13 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H'}

Subscriptions

Samsung Open Source Escargot
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-04-13T18:06:17.120Z

Reserved: 2026-04-13T04:23:34.942Z

Link: CVE-2026-40446

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-13T05:16:04.863

Modified: 2026-04-13T15:01:43.663

Link: CVE-2026-40446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:53:03Z

Weaknesses