VYPR
← All advisories
High severity7.8NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47314

CVE-2026-47314

Description

Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds write in Samsung Escargot JavaScript engine allows overflow buffers, leading to potential code execution.

Vulnerability

An out-of-bounds write vulnerability exists in the Samsung Open Source Escargot JavaScript engine, specifically in the commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The bug occurs when setArrayLength fails to properly handle array length conversions that exceed internal thresholds, causing the engine to convert the array to non-fast mode and subsequently write past allocated buffer boundaries. The condition is triggered by specific JavaScript operations involving array length manipulation or proxy objects [1].

Exploitation

An attacker can exploit this vulnerability by crafting a JavaScript script that triggers the out-of-bounds write. The attacker requires no special network position or authentication beyond the ability to execute JavaScript code within the Escargot engine. The exploitation sequence involves creating an array, manipulating its length to exceed thresholds, and leveraging proxy objects to bypass length checks, leading to a controlled write beyond the intended buffer [1].

Impact

Successful exploitation leads to a buffer overflow, which can corrupt adjacent memory. This can result in arbitrary code execution or a denial of service (crash). The impact is confined to the Escargot engine process, potentially affecting any application that embeds this JavaScript engine [1].

Mitigation

A fix is available in the referenced pull request [1], which has been merged into the Escargot repository. Users should update to the latest commit that includes this patch. No official release version has been announced as of publication. No workarounds are documented; the only mitigation is to apply the patch or avoid untrusted JavaScript execution on systems using this vulnerable Escargot version.

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = 590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Out-of-bounds write in Escargot's JavaScript engine due to insufficient bounds checking on buffer operations."

Attack vector

An attacker can trigger the out-of-bounds write by providing a crafted JavaScript input that causes the engine to write beyond allocated buffer boundaries. The vulnerability is reachable locally with no special privileges required, but relies on user interaction (e.g., opening a malicious script or webpage). The CVSS vector indicates local access (AV:L) and low complexity (AC:L), meaning the attacker only needs to convince a user to execute the crafted script. The exact payload shape is not detailed in the patch, but the bug class [CWE-787] (Out-of-bounds Write) allows overwriting adjacent memory, potentially leading to code execution.

Affected code

The patch [patch_id=600626] only updates the vendor test subproject commit hash in `test/vendortest`. The actual vulnerable code paths in the Escargot JavaScript engine are not shown in this bundle. The advisory describes the issue as an out-of-bounds write leading to overflow buffers, which typically occurs in memory management or array/string handling routines within the engine.

What the fix does

The patch [patch_id=600626] updates the vendor test subproject commit from `71d8a3453148662bcbde7cd8180aaea7bf29ae32` to `e17c4680af0a133981ab19aa6ea0b67bd705f66c`. This change pulls in updated test cases that likely cover the boundary conditions which previously triggered the out-of-bounds write. The patch itself does not show the engine source code changes; the actual fix to the buffer bounds checking is presumably included in the updated vendor test submodule or in a separate commit not shown in this bundle.

Preconditions

  • inputAttacker must supply a crafted JavaScript file or script that triggers the out-of-bounds write.
  • authNo authentication required; the vulnerability can be triggered by any user.
  • networkNo network access needed; the attack is local (AV:L).
  • configNo special configuration required.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.