VYPR
← All advisories
High severity8.8NVD Advisory· Published May 28, 2026

CVE-2026-8915

CVE-2026-8915

Description

Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.

This issue affects Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds write in Samsung Escargot's ArrayBuffer.prototype.transfer due to missing size check, fixed in PR #1579.

Vulnerability

Out-of-bounds write vulnerability in Samsung Open Source Escargot, affecting version 36f5fb58366a67b713c02f6fd985e924fcc09e31. The issue is in ArrayBuffer.prototype.transfer where the newByteLength parameter is not validated against maxByteLength, allowing a crafted call to trigger an overflow buffer write [1].

Exploitation

An attacker can exploit this by calling ArrayBuffer.prototype.transfer with a newByteLength exceeding maxByteLength, bypassing the missing size check. No authentication or special privileges are required if the attacker can execute JavaScript in the context of Escargot [1].

Impact

Successful exploitation leads to an out-of-bounds write, potentially causing memory corruption and arbitrary code execution. The confidentiality, integrity, and availability of the system are at risk [1].

Mitigation

The vulnerability is fixed in pull request #1579, which adds a size validation check before the transfer operation. Users should update to the patched version. No workarounds are documented [1].

References
  1. Add size checking on ArrayBuffer.prototype.transfer by ksh8281 · Pull Request #1579 · Samsung/escargot

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Samsung Mobile/Escargotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: = 36f5fb58366a67b713c02f6fd985e924fcc09e31

Patches

1
36f5fb58366a

Add size checking on ArrayBuffer.prototype.transfer

https://github.com/Samsung/escargotSeonghyun KimMay 21, 2026via nvd-ref
commitPR #1579
2 files changed · +5 1
  • src/builtins/BuiltinArrayBuffer.cpp+4 0 modified
    @@ -148,9 +148,13 @@ static Value builtinArrayBufferTransfer(ExecutionState& state, Value thisValue,
         newByteLength = argv[0].toIndex(state);
     }
 
+    obj->throwTypeErrorIfDetached(state);
     Optional<uint64_t> maxLength;
     if (obj->isResizableArrayBuffer()) {
         maxLength = obj->maxByteLength();
+        if (newByteLength > maxLength.value()) {
+            ErrorObject::throwBuiltinError(state, ErrorCode::RangeError, state.context()->staticStrings().ArrayBuffer.string(), true, state.context()->staticStrings().transfer.string(), ErrorObject::Messages::GlobalObject_FirstArgumentInvalidLength);
+        }
     }
     ArrayBuffer* newValue = ArrayBufferObject::allocateArrayBuffer(state, state.context()->globalObject()->arrayBuffer(), newByteLength, maxLength);
  • test/vendortest+1 1 modified
    @@ -1 +1 @@
-Subproject commit e17c4680af0a133981ab19aa6ea0b67bd705f66c
+Subproject commit a381b0eb941323dbdd2ba4285ce0affaf92fef1c

Vulnerability mechanics

Root cause

"Missing bounds check on newByteLength against maxByteLength in ArrayBuffer.prototype.transfer allows out-of-bounds write."

Attack vector

An attacker can trigger an out-of-bounds write by calling `ArrayBuffer.prototype.transfer()` on a resizable `ArrayBuffer` with a `newByteLength` argument that exceeds the buffer's `maxByteLength`. Because the original code lacked a bounds check on `newByteLength` against `maxLength`, the allocation could produce a smaller buffer than expected, leading to a write past the allocated region. The attack requires no authentication and can be delivered via a crafted web page or script that invokes the vulnerable API.

Affected code

The vulnerability resides in `src/builtins/BuiltinArrayBuffer.cpp` within the `builtinArrayBufferTransfer` function. The patch adds a size check when `newByteLength` exceeds `maxLength` for resizable `ArrayBuffer` objects, and also adds a `throwTypeErrorIfDetached` call before the transfer logic.

What the fix does

The patch adds a check that throws a `RangeError` when `newByteLength > maxLength.value()` for resizable `ArrayBuffer` objects, preventing the out-of-bounds write. It also adds a `throwTypeErrorIfDetached` call to ensure the buffer is not already detached before proceeding. These changes enforce proper bounds validation on the transfer operation, closing the overflow vulnerability.

Preconditions

  • inputAttacker must be able to execute JavaScript code that calls ArrayBuffer.prototype.transfer() on a resizable ArrayBuffer
  • inputThe resizable ArrayBuffer must have a maxByteLength smaller than the newByteLength argument passed to transfer()

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.