PatchSiren cyber security CVE debrief
CVE-2026-47308 Samsung Open Source CVE debrief
A NULL pointer dereference vulnerability exists in Samsung Open Source Walrus, a WebAssembly runtime engine. The flaw, present in commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9, allows for pointer manipulation that could lead to denial of service conditions. The vulnerability requires local access with user interaction, as indicated by the CVSS vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Samsung's PSIRT has identified the root cause as CWE-476 (NULL Pointer Dereference). A fix has been proposed via GitHub pull request 409. The vulnerability was published to CVE on May 19, 2026, with a subsequent modification later that day. No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- Samsung Open Source
- Product
- Walrus
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
Organizations using Samsung Walrus for WebAssembly execution, particularly in multi-tenant or user-facing environments where untrusted WASM modules may be processed. Security teams responsible for supply chain and open source component management should prioritize patching.
Technical summary
The vulnerability stems from improper handling of NULL pointers within the Samsung Walrus WebAssembly runtime. An attacker can trigger a NULL pointer dereference through crafted input, resulting in pointer manipulation that may crash the runtime (availability impact: HIGH). The attack requires local access and user interaction, limiting exploitability. The issue is classified under CWE-476. Remediation is available through the referenced pull request.
Defensive priority
medium
Recommended defensive actions
- Review and apply the fix from Samsung Walrus pull request 409 when merged
- Upgrade to a Walrus version subsequent to commit f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9 that incorporates the remediation
- Validate WebAssembly module inputs before execution to reduce attack surface
- Monitor Samsung Walrus repository for security advisories and release notes
Evidence notes
The CVE description explicitly identifies the affected commit hash (f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9) and characterizes the issue as NULL pointer dereference enabling pointer manipulation. The CVSS 3.1 vector confirms local attack vector with user interaction required. Samsung PSIRT attributed CWE-476 as the weakness type. A remediation pull request is publicly visible.
Official resources
-
CVE-2026-47308 CVE record
CVE.org
-
CVE-2026-47308 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
The vulnerability was disclosed through Samsung's Product Security Incident Response Team (PSIRT) and published in the National Vulnerability Database on May 19, 2026.