PatchSiren cyber security CVE debrief

CVE-2026-47310 Samsung Open Source CVE debrief

A use-after-free vulnerability in Samsung's Escargot JavaScript engine allows pointer manipulation, potentially enabling arbitrary code execution. The vulnerability affects commit 590345cc6258317c5da850d846ce6baaf2afc2d3. A fix has been proposed via pull request.

Vendor: Samsung Open Source
Product: Escargot
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-19
Original CVE updated: 2026-05-19
Advisory published: 2026-05-19
Advisory updated: 2026-05-19

Who should care

Organizations embedding Escargot JavaScript engine in products; developers maintaining Escargot-based applications; security teams monitoring memory safety issues in language runtimes

Technical summary

CVE-2026-47310 is a use-after-free (CWE-416) vulnerability in Samsung's open-source Escargot JavaScript engine. The flaw enables pointer manipulation and is rated HIGH severity (CVSS 7.8) with local attack vector, low attack complexity, and high impact to confidentiality, integrity, and availability. The vulnerability requires user interaction but no privileges. Affected code is at commit 590345cc6258317c5da850d846ce6baaf2afc2d3. Samsung PSIRT has submitted a fix via GitHub pull request.

Defensive priority

HIGH

Recommended defensive actions

Review and apply the proposed fix from Samsung's Escargot pull request 1565 when merged
Upgrade Escargot to a version beyond commit 590345cc6258317c5da850d846ce6baaf2afc2d3 once available
Audit applications using Escargot for untrusted JavaScript execution contexts
Monitor NVD for updated analysis and vendor advisory
Implement sandboxing for Escargot execution environments where feasible

Evidence notes

CVE published 2026-05-19. NVD status: Undergoing Analysis. CVSS 3.1: 7.8 (HIGH). CWE-416 (Use After Free). Fix proposed in GitHub PR 1565.

Official resources

2026-05-19