Description
Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
Published: 2026-05-19
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Escargot, Samsung’s open‑source JavaScript engine, contains a use‑after‑free flaw that allows attackers to manipulate pointers and corrupt memory. The vulnerability (CWE‑416) can be triggered by feeding specially crafted input to the engine and leads to escalation of privileges or arbitrary code execution on the host system.

Affected Systems

The defect resides in the code base identified by commit 590345cc6258317c5da850d846ce6baaf2afc2d3. Any Escargot releases or forked versions that include this commit before the changes in pull request 1565 are vulnerable. Devices or applications that embed the affected runtime without the fix are at risk.

Risk and Exploitability

The CVSS score of 7.8 classifies the vulnerability as high severity. EPSS data is not available, so the exact likelihood of exploitation is unknown, but the absence from the CISA KEV list does not diminish the need for prompt action. Based on the description, it is inferred that attackers could exploit the flaw remotely by supplying crafted input, leading to memory corruption and potential remote code execution if the engine is exposed to untrusted data.

Generated by OpenCVE AI on May 19, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Escargot release that incorporates the fix for the use‑after‑free flaw; if a newer release is not available, merge the changes from pull request 1565 into your code base.
  • Rebuild and redeploy the patched Escargot binaries to all systems where the vulnerable version is in use.
  • Verify that the fixed code is fully exercised by unit tests or integration tests, and monitor for anomalous memory usage to confirm the vulnerability is fully mitigated.

Generated by OpenCVE AI on May 19, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
Title Use‑After‑Free Exploit Enabling Pointer Manipulation in Escargot

Tue, 19 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-05-19T04:52:56.571Z

Reserved: 2026-05-19T02:40:40.159Z

Link: CVE-2026-47310

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-19T07:16:29.953

Modified: 2026-05-19T07:16:29.953

Link: CVE-2026-47310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T08:30:36Z

Weaknesses