VYPR
← All advisories
High severity7.8NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47311

CVE-2026-47311

Description

Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer overflow in Samsung Escargot JavaScript engine due to improper array length handling, leading to potential code execution.

Vulnerability

A heap-based buffer overflow vulnerability exists in Samsung's open-source Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The bug occurs when setArrayLength converts an array to non-fast mode if the length exceeds thresholds, and when checking index properties within string length due to proxy objects. This can cause an overflow of heap buffers, as described in the fix pull request [1].

Exploitation

An attacker can trigger the overflow by crafting JavaScript code that manipulates array lengths and proxy objects to cause the engine to write beyond allocated heap buffers. No authentication is required if the attacker can execute arbitrary JavaScript (e.g., via a web page or script). The exact steps involve creating a proxy that intercepts property access and setting array length to trigger the vulnerable code path [1].

Impact

Successful exploitation could allow an attacker to corrupt heap memory, potentially leading to arbitrary code execution or denial of service. The impact is high as it may allow full compromise of the application using Escargot [1].

Mitigation

The fix is provided in pull request #1565 on the Samsung Escargot GitHub repository [1]. Users should update to a version that includes this fix. No workaround is mentioned. The vulnerability is not listed in CISA KEV as of publication.

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = 590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Heap-based buffer overflow in Escargot JavaScript engine due to insufficient bounds checking during array/string operations."

Attack vector

An attacker can trigger the heap-based buffer overflow by crafting a malicious JavaScript file that, when executed by the Escargot engine, causes out-of-bounds writes on the heap. The vulnerability is reachable through any application that embeds Escargot and processes untrusted JavaScript input. The CVSS vector indicates local access with user interaction required (e.g., opening a malicious file or visiting a crafted page). The advisory does not specify the exact function or code path where the overflow occurs.

Affected code

The advisory identifies Escargot at commit `590345cc6258317c5da850d846ce6baaf2afc2d3` as affected. The patch [patch_id=600094] only updates a vendor test subproject reference; no source file changes are shown. The exact functions or code paths responsible for the heap-based buffer overflow are not specified in the provided bundle.

What the fix does

The patch [patch_id=600094] updates the vendor test subproject commit from `71d8a3453148662bcbde7cd8180aaea7bf29ae32` to `e17c4680af0a133981ab19aa6ea0b67bd705f66c`. The diff does not show changes to Escargot source code itself; it only updates the vendored test suite reference. The advisory does not include a source-level patch, so the specific fix mechanism (e.g., added bounds checks or size validations) is not visible from the provided bundle.

Preconditions

  • inputAttacker must supply a crafted JavaScript file or script to the Escargot engine.
  • authNo authentication required; the vulnerability is triggerable by any user who can execute JavaScript via Escargot.
  • networkNo network access required; the attack is local (AV:L in CVSS).

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.