CVE-2026-47307 Samsung Open Source CVE debrief

Who should care

Organizations operating WebAssembly execution services using Samsung Walrus, developers building applications with Walrus runtime, security teams monitoring WebAssembly supply chain risks, and infrastructure providers accepting untrusted WebAssembly modules from external sources.

Technical summary

The vulnerability stems from improper handling of deeply nested instructions in WebAssembly modules within the Walrus runtime. When processing a maliciously crafted module with excessive nesting depth, the runtime dereferences a NULL pointer, causing a crash and denial of service. The attack requires local access and user interaction to trigger, limiting its severity. The issue is specific to commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9 of the Samsung Walrus project. A remediation pull request has been submitted to address the underlying NULL pointer dereference condition.

Defensive priority

medium

Recommended defensive actions

• Review and apply the fix from Samsung Walrus pull request 409 when available
• Validate WebAssembly module nesting depth before processing untrusted inputs
• Monitor Samsung Walrus repository for official security advisory and patched release
• Implement input validation and sandboxing for WebAssembly execution environments
• Assess exposure of Walrus-based services to untrusted WebAssembly module ingestion

Evidence notes

The CVE description identifies the affected component as Samsung Open Source Walrus, a WebAssembly runtime engine. The vulnerability is classified as CWE-476 (NULL Pointer Dereference). The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) indicates a local attack vector requiring user interaction, with high availability impact. A pull request addressing this issue has been submitted to the Samsung Walrus repository.

Official resources