VYPR
← All advisories
High severity7.8NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47310

CVE-2026-47310

Description

Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Samsung's Escargot JavaScript engine allows pointer manipulation, potentially leading to code execution.

Vulnerability

A use-after-free vulnerability exists in the Escargot JavaScript engine developed by Samsung, specifically in commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The flaw occurs when setArrayLength converts an array to non-fast mode if the length exceeds certain thresholds, leading to a dangling pointer. This issue is triggered during property access operations, particularly when proxy objects are involved [1].

Exploitation

To exploit this vulnerability, an attacker must deliver a crafted JavaScript script to the target application that uses Escargot. The attacker requires no special authentication or network position beyond being able to execute JavaScript in the affected context. The observed crash occurs when the engine accesses a property after the underlying array buffer has been freed, resulting in a use-after-free condition that can be leveraged for pointer manipulation [1].

Impact

Successful exploitation could allow an attacker to achieve arbitrary code execution within the context of the Escargot process. The use-after-free leads to pointer manipulation, which can be further abused to corrupt memory and control program execution flow. The impact is limited to the Escargot runtime environment, but this could expose sensitive data or allow remote code execution if Escargot is used in a server-side or embedded context [1].

Mitigation

Samsung has fixed the issue in the commit merged via Pull Request #1565 on the Escargot repository [1]. Users should update to a version beyond commit 590345cc6258317c5da850d846ce6baaf2afc2d3 that includes the fix. No workarounds are provided. The CVE has not been listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = commit 590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Use-after-free in Escargot JavaScript engine allows access to freed memory through pointer manipulation."

Attack vector

An attacker can trigger a use-after-free by crafting JavaScript that causes an object to be freed while a reference to it still exists. The vulnerability is reachable locally when a victim opens a malicious script or webpage (user interaction required). The CVSS vector indicates no privileges are needed, but the attack requires local access and user interaction [CWE-416]. The patch only updates a vendor test subproject commit, so the exact triggering mechanism is not disclosed in the available diff.

Affected code

The patch updates `test/vendortest` subproject commit, but does not show which source files in Escargot are affected. The advisory states the issue is a use-after-free in Escargot at commit `590345cc6258317c5da850d846ce6baaf2afc2d3`. The specific functions or code paths at fault are not visible in the provided diff.

What the fix does

The patch updates the vendor test subproject commit hash from `71d8a3453148662bcbde7cd8180aaea7bf29ae32` to `e17c4680af0a133981ab19aa6ea0b67bd705f66c` [patch_id=600095]. This change likely includes test cases that reproduce the use-after-free condition. The patch does not show the actual source code fix in Escargot itself; the fix may reside in the updated vendor test submodule or in a separate commit not included in this bundle.

Preconditions

  • authNo authentication required
  • inputAttacker must supply a crafted JavaScript file or webpage
  • networkLocal access only; victim must execute the malicious script
  • configNo special configuration required

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.