CVE-2026-47317 Samsung Open Source CVE debrief

Who should care

Organizations and developers using Samsung Escargot JavaScript engine in embedded systems, IoT devices, or server-side JavaScript execution environments. Security teams responsible for JavaScript engine deployments and supply chain security.

Technical summary

CVE-2026-47317 is an Uncontrolled Recursion vulnerability (CWE-674) in the Samsung Open Source Escargot JavaScript engine. The vulnerability exists in commit 590345cc6258317c5da850d846ce6baaf2afc2d3 and can result in Excessive Allocation, potentially causing denial of service through memory exhaustion. The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector with user interaction required. A fix has been proposed via GitHub pull request #1565 to the Samsung/escargot repository. Organizations using Escargot in production environments should monitor for the merged fix and implement resource constraints as a temporary mitigation.

Defensive priority

medium

Recommended defensive actions

• Review and apply the fix from Samsung Escargot pull request #1565 when merged
• Update Escargot to a version newer than commit 590345cc6258317c5da850d846ce6baaf2afc2d3 once available
• Implement resource limits on JavaScript execution environments using Escargot to mitigate potential denial of service
• Monitor Samsung Escargot repository for official security advisories and release notes

Evidence notes

The CVE description identifies the affected component as Samsung Open Source Escargot and specifies the exact commit hash 590345cc6258317c5da850d846ce6baaf2afc2d3 as the affected version. The CVSS v3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) indicates a local attack vector requiring user interaction, with high availability impact. CWE-674 (Uncontrolled Recursion) is identified as the weakness type. A pull request (#1565) has been submitted to the Samsung/escargot repository to address this issue.

Official resources