VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47315

CVE-2026-47315

Description

Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing exception check in Samsung Escargot's `setArrayLength` allows input data manipulation via crafted array length operations.

Vulnerability

An improper check for unusual or exceptional conditions exists in Samsung Open Source Escargot, specifically in the implementation of setArrayLength. When a JavaScript array length is set beyond certain thresholds, the function can convert the array to non-fast mode without proper validation. This affects the specific commit 590345cc6258317c5da850d846ce6baaf2afc2d3 [1].

Exploitation

An attacker with the ability to execute arbitrary JavaScript code in the Escargot engine can trigger the vulnerability by calling setArrayLength with a very large or specially crafted length value. No additional authentication or network position is required beyond the attacker's code execution context. The malicious array manipulation causes the engine to enter an inconsistent state [1].

Impact

Successful exploitation allows input data manipulation, potentially leading to memory corruption or unexpected program behavior. The CVSS v3 severity of 5.5 (Medium) indicates a moderate confidentiality, integrity, or availability impact, though the full scope depends on the hosting application [1].

Mitigation

The fix is merged in pull request #1565 in the Samsung/escargot repository [1]. Users should update Escargot to any commit after 590345cc6258317c5da850d846ce6baaf2afc2d3 to include the patch. No workarounds are documented.

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = commit 590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Missing bounds or exception check in the Escargot JavaScript engine allows an out-of-bounds or exceptional condition to be triggered via crafted input."

Attack vector

An attacker can supply a specially crafted JavaScript input to the Escargot engine that triggers an improper check for unusual or exceptional conditions [CWE-754]. The vulnerability is exploitable locally (AV:L) with no privileges required (PR:N) but requires user interaction (UI:R), meaning the victim must load the malicious input. The payload causes the engine to enter an unexpected state, leading to a denial of service (A:H) through input data manipulation.

Affected code

The patch modifies the vendortest subproject reference in the Escargot repository at commit `590345cc6258317c5da850d846ce6baaf2afc2d3`. The exact engine source files responsible for the vulnerability are not shown in the supplied patch diff, as the change only updates a subproject commit hash.

What the fix does

The patch updates the vendortest subproject commit from `71d8a3453148662bcbde7cd8180aaea7bf29ae32` to `e17c4680af0a133981ab19aa6ea0b67bd705f66c` [patch_id=600625]. The advisory does not specify the exact code-level changes within the subproject, but the vendor test update indicates that test coverage was added or corrected to account for the previously unhandled exceptional condition. This closes the vulnerability by ensuring the engine properly checks for and handles the unusual condition rather than allowing it to cause undefined behavior.

Preconditions

  • inputAttacker must supply a crafted JavaScript input that triggers the unusual/exceptional condition.
  • authNo authentication required (PR:N).
  • networkLocal access required (AV:L); the victim must load the malicious input locally.

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.