VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47312

CVE-2026-47312

Description

Release of invalid pointer or reference vulnerability in Samsung Open Source Escargot allows Buffer Manipulation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A release of an invalid pointer or reference in Samsung Escargot allows buffer manipulation, leading to a potential crash or undefined behavior.

Vulnerability

A release of invalid pointer or reference vulnerability exists in Samsung Open Source Escargot, specifically in the commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The issue resides in the setArrayLength operation which can convert an array to non-fast mode when length exceeds thresholds, potentially causing a dangling pointer or reference that leads to buffer manipulation. The vulnerable code path is reachable during JavaScript execution when certain array length modifications are performed, particularly in interactions with proxy objects or when checking if a property is an index property within the string length [1].

Exploitation

An attacker would need to provide a crafted JavaScript script that triggers the vulnerable code path in Escargot. The specific conditions involve manipulating array lengths in a way that causes the engine to transition an array from fast mode to non-fast mode, resulting in the release of an invalid pointer or reference. This can be achieved through a sequence of operations that include setArrayLength with a length exceeding internal thresholds, combined with proxy object interactions [1]. No authentication is required beyond the ability to execute JavaScript in the context of the Escargot engine.

Impact

Successful exploitation could lead to buffer manipulation, potentially resulting in a crash (denial of service) or undefined behavior. The CIA impact is primarily on availability (crash) and potentially integrity (if the invalid pointer leads to memory corruption). The vulnerability is classified as medium severity with a CVSS v3 base score of 5.5 [1].

Mitigation

The fix is included in Pull Request #1565 on the Samsung Escargot GitHub repository, which addresses the crash issues by adding checks for invalid pointers during array length operations. Users should update to a version of Escargot that includes this fix or apply the patch from the pull request. No workaround is disclosed in the available references [1].

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: =590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Release of an invalid or dangling pointer during object deallocation in Escargot's memory management."

Attack vector

An attacker must trick a user into running crafted JavaScript that triggers a specific sequence of object allocations and deallocations. The vulnerability is triggered locally when the Escargot JavaScript engine processes the malicious script, causing it to release a pointer that is no longer valid or was never properly allocated. This leads to a buffer manipulation that can crash the engine, resulting in a denial-of-service condition. No authentication or special privileges are required beyond user interaction to load the script.

Affected code

The patch does not show which source files or functions are at fault. It only updates the vendor test subproject commit hash in test/vendortest. The advisory indicates the vulnerability is in Escargot commit 590345cc6258317c5da850d846ce6baaf2afc2d3, but the specific code path is not disclosed in the supplied bundle.

What the fix does

The patch updates the vendor test subproject commit hash from 71d8a3453148662bcbde7cd8180aaea7bf29ae32 to e17c4680af0a133981ab19aa6ea0b67bd705f66c. The diff does not show the actual code changes in the engine; it only reflects an update to the vendored test suite. The advisory does not specify the exact code-level fix, but the subproject update likely includes test cases that cover the previously unhandled edge case in pointer release logic.

Preconditions

  • inputAttacker must supply a crafted JavaScript file that triggers the invalid pointer release.
  • authNo authentication required beyond user interaction to execute the script.
  • networkNo network access required; the script can be loaded locally.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.