CVE-2026-47312 Samsung Open Source CVE debrief

Who should care

Organizations deploying Samsung Escargot JavaScript engine in embedded systems, IoT devices, or applications processing untrusted JavaScript code. Security teams tracking open-source engine vulnerabilities and developers maintaining Escargot-based products.

Technical summary

CVE-2026-47312 is a use-after-free vulnerability (CWE-763) in Samsung's open-source Escargot JavaScript engine. The flaw exists in commit 590345cc6258317c5da850d846ce6baaf2afc2d3 and allows buffer manipulation through improper release of an invalid pointer or reference. The vulnerability requires local access and user interaction, with no confidentiality or integrity impact but high availability impact (denial of service). Samsung PSIRT has identified the weakness and referenced a fix in GitHub PR #1565. NVD currently lists the entry as 'Undergoing Analysis', indicating technical details may be refined.

Defensive priority

medium

Recommended defensive actions

• Review Samsung Escargot deployments and identify systems running commit 590345cc6258317c5da850d846ce6baaf2afc2d3 or earlier
• Monitor GitHub PR #1565 for merge status and official release tagging
• Apply updated Escargot version once Samsung releases patched build
• Restrict execution of untrusted JavaScript in Escargot-based applications as interim mitigation
• Track NVD 'Undergoing Analysis' status for CVSS revisions or additional technical details

Evidence notes

NVD lists this as 'Undergoing Analysis' with CVSS 3.1 score 5.5 (MEDIUM). CWE-763 (Release of Invalid Pointer or Reference) assigned by Samsung PSIRT. Fix reference points to GitHub PR #1565.

Official resources