CVE-2026-47313 Samsung Open Source CVE debrief

Who should care

Organizations running Samsung Escargot JavaScript engine in production environments, particularly those processing untrusted or user-supplied JavaScript code. Security teams responsible for open source component management and JavaScript engine deployments. Developers integrating Escargot into embedded systems, IoT devices, or server-side JavaScript execution environments.

Technical summary

The Escargot JavaScript engine, developed by Samsung as open source software, contains a vulnerability classified under CWE-789 where memory allocation with excessive size values can occur. This excessive allocation condition can lead to denial of service through resource exhaustion. The vulnerability is present in commit 590345cc6258317c5da850d846ce6baaf2afc2d3. The CVSS 3.1 score of 5.5 (Medium) reflects a local attack scenario with low complexity, no privilege requirements, but requiring user interaction, resulting in high availability impact with no confidentiality or integrity impact. Samsung's Product Security Incident Response Team (PSIRT) has submitted a pull request to address this issue.

Defensive priority

medium

Recommended defensive actions

• Review and apply the fix from Samsung's proposed pull request to address the memory allocation vulnerability
• Implement resource limits and sandboxing for Escargot JavaScript engine execution to mitigate excessive memory allocation risks
• Monitor Escargot repository for merged fix and subsequent security releases
• Assess exposure of Escargot deployments in production environments, particularly where untrusted JavaScript execution occurs

Evidence notes

Vulnerability description and affected version derived from official CVE record and NVD entry. Fix reference confirmed via Samsung PSIRT-submitted GitHub pull request. CVSS vector and CWE classification sourced from NVD metadata. Vendor attribution to Samsung based on PSIRT email domain and GitHub repository ownership.

Official resources