Description
NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions.

This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9.
Published: 2026-05-19
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference in Walrus leads to a denial of service when a specially crafted WebAssembly module containing deeply nested instructions is loaded. The bug causes the runtime to crash, interrupting normal operation and potentially affecting any service relying on Walrus.

Affected Systems

The vulnerability is present in the Samsung Open Source Walrus project at commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9. No specific product version ranges are provided beyond this commit identifier.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity risk. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to be able to supply a malicious WebAssembly module to a system running the affected Walrus instance, which could be achieved through any exposed API that accepts such modules.

Generated by OpenCVE AI on May 19, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Walrus to the latest stable release that resolves the null pointer dereference.
  • Disable or harden any features that allow the loading of untrusted WebAssembly modules unless they are thoroughly validated.
  • Add validation checks for instruction nesting depth before execution to prevent excessive resource consumption.

Generated by OpenCVE AI on May 19, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/Samsung/walrus/pull/409 cve-icon cve-icon
History

Tue, 19 May 2026 05:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Deeply Nested WebAssembly Module in Walrus

Tue, 19 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9.
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-05-19T02:51:55.651Z

Reserved: 2026-05-19T02:40:40.159Z

Link: CVE-2026-47307

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T04:16:31.317

Modified: 2026-05-19T04:16:31.317

Link: CVE-2026-47307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T05:00:11Z

Weaknesses