Description
Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
Published: 2026-05-19
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Escargot, Samsung’s open‑source JavaScript engine, contains a use‑after‑free flaw that allows attackers to manipulate pointers and corrupt memory. The vulnerability (CWE‑416) can be triggered by feeding specially crafted input to the engine and leads to escalation of privileges or arbitrary code execution on the host system.

Affected Systems

The defect resides in the code base identified by commit 590345cc6258317c5da850d846ce6baaf2afc2d3. Any Escargot releases or forked versions that include this commit before the changes in pull request 1565 are vulnerable. Devices or applications that embed the affected runtime without the fix are at risk.

Risk and Exploitability

The CVSS score of 7.8 classifies the vulnerability as high severity. EPSS data is not available, so the exact likelihood of exploitation is unknown, but the absence from the CISA KEV list does not diminish the need for prompt action. Based on the description, it is inferred that attackers could exploit the flaw remotely by supplying crafted input, leading to memory corruption and potential remote code execution if the engine is exposed to untrusted data.

Generated by OpenCVE AI on May 19, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Escargot release that incorporates the fix for the use‑after‑free flaw; if a newer release is not available, merge the changes from pull request 1565 into your code base.
  • Rebuild and redeploy the patched Escargot binaries to all systems where the vulnerable version is in use.
  • Verify that the fixed code is fully exercised by unit tests or integration tests, and monitor for anomalous memory usage to confirm the vulnerability is fully mitigated.

Generated by OpenCVE AI on May 19, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Samsung
Samsung escargot
CPEs cpe:2.3:a:samsung:escargot:2026-05-14:*:*:*:*:*:*:*
Vendors & Products Samsung
Samsung escargot

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Open Source
Samsung Open Source escargot
Vendors & Products Samsung Open Source
Samsung Open Source escargot

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Exploit Enabling Pointer Manipulation in Escargot

Tue, 19 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Samsung Escargot
Samsung Open Source Escargot
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-05-19T12:32:54.964Z

Reserved: 2026-05-19T02:40:40.159Z

Link: CVE-2026-47310

cve-icon Vulnrichment

Updated: 2026-05-19T12:32:51.999Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T07:16:29.953

Modified: 2026-06-02T18:45:08.537

Link: CVE-2026-47310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T09:30:25Z

Weaknesses