CVE-2026-47317
Description
Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Excessive Allocation.
This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uncontrolled recursion in Samsung Escargot JavaScript engine before commit 590345c can lead to excessive memory allocation, causing denial of service.
Vulnerability
An uncontrolled recursion vulnerability exists in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3 and prior). The engine fails to properly limit recursion depth in certain code paths, leading to excessive memory allocation. This issue is triggered during JavaScript execution when specific patterns cause deep recursive calls, exhausting available memory.
Exploitation
An attacker can exploit this vulnerability by crafting a JavaScript snippet that induces uncontrolled recursion. No special privileges or user interaction beyond executing the malicious script is required. The script could be delivered via a web page or any application embedding the vulnerable Escargot engine.
Impact
Successful exploitation results in denial of service due to memory exhaustion. The engine may crash or become unresponsive, disrupting services that rely on it. No code execution or information disclosure has been reported.
Mitigation
The issue is addressed in the pull request #1565 [1], which contains a fix for the crash. Users should update Escargot to a version that includes this commit. No workaround is available, and the CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1590345cc6258Update vendor test
1 file changed · +1 −1
test/vendortest+1 −1 modified@@ -1 +1 @@ -Subproject commit 71d8a3453148662bcbde7cd8180aaea7bf29ae32 +Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c
Vulnerability mechanics
Root cause
"Uncontrolled recursion in the Escargot JavaScript engine leads to excessive stack allocation when processing deeply nested structures."
Attack vector
An attacker can craft a JavaScript input containing deeply nested objects, arrays, or function calls that trigger uncontrolled recursion in the Escargot engine. The vulnerability is exploitable locally (AV:L) with no privileges required (PR:N), but requires user interaction (UI:R) such as opening a malicious script or webpage. The recursion causes excessive stack memory allocation, leading to a denial-of-service condition via stack exhaustion.
Affected code
The patch only updates a vendor test subproject commit hash in test/vendortest. The underlying engine code path responsible for the uncontrolled recursion is not shown in the supplied bundle. The vulnerability affects the Escargot JavaScript engine at commit 590345cc6258317c5da850d846ce6baaf2afc2d3.
What the fix does
The patch updates the vendor test subproject commit from 71d8a3453148662bcbde7cd8180aaea7bf29ae32 to e17c4680af0a133981ab19aa6ea0b67bd705f66c. The advisory and patch do not include a code diff showing the internal engine changes, so the exact mechanism of the fix (e.g., adding recursion depth limits or converting recursion to iteration) is not visible from the supplied bundle. The commit message only indicates a vendor test update.
Preconditions
- inputAttacker must supply a JavaScript input with deeply nested structures (objects, arrays, or function calls).
- authNo authentication required.
- networkNo network access required; local exploitation.
- configNo special configuration required.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.