VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 19, 2026· Updated May 19, 2026

CVE-2026-47316

CVE-2026-47316

Description

Improper Check or Handling of Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation.

This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper exception handling in Samsung Escargot before commit 590345cc allows input data manipulation via crafted JavaScript.

Vulnerability

An improper check or handling of exceptional conditions vulnerability exists in Samsung Open Source Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The flaw occurs when the engine fails to correctly handle certain exceptional conditions during script execution, potentially allowing an attacker to manipulate input data. The issue is addressed in Pull Request #1565, which fixes multiple crash-related problems [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted JavaScript input to the Escargot engine. No authentication or special privileges are required if the engine is exposed to untrusted scripts (e.g., in a browser or server-side environment). The exact sequence involves triggering an exceptional condition that the engine does not properly check, leading to data manipulation. The PR description mentions fixes for crashes related to setArrayLength and proxy objects, suggesting these code paths are involved [1].

Impact

Successful exploitation allows an attacker to manipulate input data, which could lead to information disclosure, denial of service, or potentially further compromise depending on the context. The CVSS v3 score of 5.5 (Medium) indicates a moderate impact on confidentiality, integrity, or availability. The vulnerability does not appear to enable remote code execution based on available information.

Mitigation

The vulnerability is fixed in the commit associated with Pull Request #1565 [1]. Users should update their Escargot installation to a version that includes this fix. As of the publication date (2026-05-19), no official release version has been announced, but the patch is available in the repository. No workarounds are documented. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Fix crash issues by ksh8281 · Pull Request #1565 · Samsung/escargot

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = 590345cc6258317c5da850d846ce6baaf2afc2d3

Patches

1
590345cc6258

Update vendor test

https://github.com/Samsung/escargotSeonghyun KimMay 14, 2026via nvd-ref
commitPR #1565
1 file changed · +1 1
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32
+Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c

Vulnerability mechanics

Root cause

"Improper handling of exceptional conditions during input processing in Escargot allows a crafted input to trigger an unrecoverable error state."

Attack vector

An attacker can supply a specially crafted input to the Escargot JavaScript engine. The vulnerability is triggered when the engine encounters an exceptional condition (such as an unexpected data structure or malformed input) that is not properly checked or handled [CWE-703]. The attack requires local access and user interaction (e.g., opening a malicious script or webpage), and it does not require authentication. The result is a denial-of-service condition (availability impact) as the engine enters an undefined or crash state.

Affected code

The patch updates the vendor test subproject reference in `test/vendortest` [patch_id=600624]. The advisory does not specify which source files within Escargot contain the vulnerable code path. The vulnerability involves improper handling of exceptional conditions during input processing, likely in the parser or interpreter components that process user-supplied JavaScript or script data.

What the fix does

The patch updates the vendor test subproject commit from `71d8a3453148662bcbde7cd8180aaea7bf29ae32` to `e17c4680af0a133981ab19aa6ea0b67bd705f66c` [patch_id=600624]. The advisory does not provide the source-level diff within Escargot itself, so the exact code change is not visible from this patch alone. However, the vendor test update likely includes test cases that validate proper handling of the previously unhandled exceptional condition, closing the vulnerability by ensuring the engine gracefully handles the malformed input instead of entering an undefined state.

Preconditions

  • inputAttacker must supply a crafted input that triggers an exceptional condition in Escargot.
  • authNo authentication required.
  • networkLocal access required; the victim must open the malicious input (e.g., via a script or webpage).

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.