PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47311 Samsung Open Source CVE debrief

A heap-based buffer overflow vulnerability exists in Samsung Open Source Escargot, a JavaScript engine. The vulnerability affects commit 590345cc6258317c5da850d846ce6baaf2afc2d3 and is classified as CWE-122 (Heap-based Buffer Overflow). The CVSS 3.1 vector indicates a local attack vector requiring user interaction, with high impacts to confidentiality, integrity, and availability. Samsung's PSIRT has identified a remediation pull request addressing this issue.

Vendor
Samsung Open Source
Product
Escargot
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Organizations deploying Samsung Escargot JavaScript engine in embedded systems, IoT devices, or server-side JavaScript execution environments; security teams tracking memory safety vulnerabilities in language runtimes; developers maintaining applications dependent on Escargot for JavaScript execution.

Technical summary

CVE-2026-47311 is a heap-based buffer overflow (CWE-122) in Samsung's Open Source Escargot JavaScript engine. The vulnerability is present in commit 590345cc6258317c5da850d846ce6baaf2afc2d3. With a CVSS 3.1 score of 7.8 (HIGH), the attack requires local access and user interaction but can result in complete compromise of confidentiality, integrity, and availability. Samsung PSIRT has referenced a GitHub pull request (1565) as the remediation path. The NVD entry remains under analysis as of the modified date.

Defensive priority

HIGH

Recommended defensive actions

  • Review Samsung Escargot deployment inventory to identify systems running affected commit 590345cc6258317c5da850d846ce6baaf2afc2d3
  • Monitor GitHub pull request 1565 for merge status and official patch release from Samsung
  • Apply vendor-supplied patch when available; prioritize systems processing untrusted JavaScript input
  • Implement application sandboxing and input validation controls to reduce attack surface
  • Track NVD analysis status for updated technical details and confirmed fix versions

Evidence notes

CVE published 2026-05-19T07:16:30.070Z; modified 2026-05-19T14:25:40.320Z. NVD status: Undergoing Analysis. Samsung PSIRT reference to GitHub pull request 1565 provided as remediation evidence. CVSS 3.1 score 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Official resources

2026-05-19