Description
Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE
Affected version is prior to commit 1.30.0.
Published: 2026-04-22
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out of Bounds Access
Action: Apply patch
AI Analysis

Impact

The vulnerability describes improper validation of STRING tensor offsets that can allow malformed string metadata to trigger out‑of‑bounds access during constant tensor import in Samsung Open Source ONE. This failure to enforce bounds checks could lead to corrupt memory or service instability when crafted data is processed; these outcomes are inferred from the nature of out‑of‑bounds issues and are not explicitly detailed in the CVE description.

Affected Systems

Samsung Open Source:ONE installations built from any release prior to commit 1.30.0 are affected, as earlier versions lack the necessary bounds‑checking logic for string tensor imports.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, EPSS data is not available, and the vulnerability is not listed in CISA KEV, suggesting no documented exploitation to date. Based on the description, the likely attack vector involves an attacker who can supply malformed string tensor metadata—this could occur in a local environment or potentially via remote input if the library processes untrusted data. The description does not provide evidence of exploitation, so these statements are inferred from the nature of the flaw.

Generated by OpenCVE AI on April 22, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest commit 1.30.0 or a newer release, which introduces required bounds checks in string tensor imports.
  • Rebuild or update all applications that depend on Samsung Open Source ONE to link against the patched library version.
  • If an immediate upgrade is not feasible, implement validation of STRING tensor offsets before import to ensure they remain within valid bounds, providing a temporary safeguard.

Generated by OpenCVE AI on April 22, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://github.com/Samsung/ONE/pull/16481 cve-icon cve-icon
History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Samsung Open Source
Samsung Open Source one
Vendors & Products Samsung Open Source
Samsung Open Source one

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Improper Validation of STRING Tensor Offsets Leading to Out‑of‑Bounds Access

Wed, 22 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Description Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE Affected version is prior to commit 1.30.0.
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Subscriptions

Samsung Open Source One
cve-icon MITRE

Status: PUBLISHED

Assigner: samsung.tv_appliance

Published:

Updated: 2026-04-22T12:30:25.364Z

Reserved: 2026-04-22T06:03:50.823Z

Link: CVE-2026-6839

cve-icon Vulnrichment

Updated: 2026-04-22T12:30:06.852Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T07:16:14.957

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:33Z

Weaknesses