CVE-2026-47309 Samsung Open Source CVE debrief

Who should care

Organizations deploying Escargot-based applications, embedded systems using Samsung's JavaScript engine, and developers maintaining forks or custom builds of Escargot should prioritize this patch. The vulnerability poses particular risk to applications processing untrusted serialized data from external sources.

Technical summary

The Escargot JavaScript engine, Samsung's open-source ECMAScript implementation, contains an uncontrolled recursion vulnerability in its handling of serialized data payloads. When processing specially crafted oversized serialized data, the engine enters recursive processing without adequate depth limits, causing stack exhaustion and denial of service. The vulnerability is present in commit 590345cc6258317c5da850d846ce6baaf2afc2d3. Attack vectors require local access and user interaction, typically through execution of malicious scripts or data files. The fix involves modifications to recursion handling in the serialization/deserialization code path, as proposed in the referenced pull request.

Defensive priority

medium

Recommended defensive actions

• Review and apply pull request #1565 when merged to address uncontrolled recursion in Escargot's serialization handling
• Implement input validation and size limits on serialized data payloads processed by Escargot
• Monitor Escargot repository for official release containing the fix
• Assess applications using Escargot commit 590345cc6258317c5da850d846ce6baaf2afc2d3 or earlier for exposure to crafted serialized data
• Consider sandboxing or resource limits for Escargot execution contexts to mitigate recursion-based denial of service

Evidence notes

Vulnerability confirmed through official Samsung PSIRT disclosure and NVD entry. Affected version identified by specific Git commit hash. Remediation evidence exists via referenced pull request.

Official resources