{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25206", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "state": "PUBLISHED", "assignerShortName": "samsung.tv_appliance", "dateReserved": "2026-01-30T06:07:11.090Z", "datePublished": "2026-04-13T04:44:33.446Z", "dateUpdated": "2026-04-13T13:16:57.720Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-13T05:40:35.061Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds read", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "Escargot", "versions": [{"status": "affected", "version": "97e8115ab1110bc502b4b5e4a0c689a71520d335"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.<p>This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.</p>"}]}], "references": [{"url": "https://github.com/Samsung/escargot/pull/1554"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.7, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H"}}], "credits": [{"lang": "en", "value": "Sebasti\u00e1n Alba Vives / @Sebasteuo", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T13:16:49.823606Z", "id": "CVE-2026-25206", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:16:57.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25206", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T13:16:49.823606Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T13:16:54.409Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "Sebasti\u00e1n Alba Vives / @Sebasteuo"}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "Escargot", "versions": [{"status": "affected", "version": "97e8115ab1110bc502b4b5e4a0c689a71520d335"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/Samsung/escargot/pull/1554"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.<p>This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds read"}]}], "providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-13T05:40:35.061Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25206", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:16:57.720Z", "dateReserved": "2026-01-30T06:07:11.090Z", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "datePublished": "2026-04-13T04:44:33.446Z", "assignerShortName": "samsung.tv_appliance"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335."}], "id": "CVE-2026-25206", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.2, "source": "PSIRT@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T05:16:02.540", "references": [{"source": "PSIRT@samsung.com", "url": "https://github.com/Samsung/escargot/pull/1554"}], "sourceIdentifier": "PSIRT@samsung.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "PSIRT@samsung.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "97e8115ab1110bc502b4b5e4a0c689a71520d335"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Escargot", "source": "cna", "vendor": "Samsung Open Source"}, "product": "escargot", "vendor": "samsung_open_source"}], "analysis": {"en": {"generated_at": "2026-04-13T06:51:58.973878+00:00", "value": {"mitigation_remediation": ["Apply the patch committed in the GitHub pull request linked in the advisory, which corrects the out-of-bounds read logic.", "If immediate patching is not possible, isolate or sandbox the Escargot engine to limit the impact of malicious inputs and monitor for abnormal memory access patterns."], "summary": {"action": "Immediate Patch", "impact": "Resource Leak Exposure"}, "threat_synthesis": {"affected_systems": "The flaw resides in Samsung Open Source Escargot and is identified by the commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335. No specific release or version number is enumerated in the advisory, so any revision that contains this commit remains vulnerable until a patch is applied.", "description_and_impact": "An out-of-bounds read flaw in Samsung Open Source Escargot permits the program to read memory beyond its intended boundary, exposing internal data structures and heap contents. Classified as CWE\u2011125, the vulnerability can disclose sensitive information without causing a crash or altering program state. It becomes exploitable when Escargot processes malformed inputs, enabling the reading of unintended memory regions.", "risk_and_exploitability": "The CVSS score of 6.7 indicates moderate severity, suggesting that an attacker can gain partial data disclosure but lacks the capability for remote code execution. The EPSS score is unavailable and the vulnerability has not been listed in the CISA KEV catalog, implying no confirmed public exploits are known. Exfiltration of data would likely be limited to environments where the Escargot engine is exposed to untrusted input; the vulnerability requires crafted input to trigger the out-of-bounds read."}}}}, "created": "2026-04-13T12:37:21.258569+00:00", "title": "Escargot Resource Leak via Out-of-Bounds Read", "updated": "2026-04-13T12:53:08.895376+00:00", "vendors": ["samsung_open_source", "samsung_open_source$PRODUCT$escargot"]}