{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40449", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "state": "PUBLISHED", "assignerShortName": "samsung.tv_appliance", "dateReserved": "2026-04-13T04:23:34.943Z", "datePublished": "2026-04-22T05:51:35.259Z", "dateUpdated": "2026-04-22T13:08:23.828Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-22T05:51:35.259Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-190", "description": "CWE-190 Integer overflow or wraparound", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "ONE", "versions": [{"status": "affected", "version": "1.30.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE.\nAffected version is prior to commit 1.30.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE.<br>Affected version is prior to commit 1.30.0."}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:08:16.438781Z", "id": "CVE-2026-40449", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:08:23.828Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE.\nAffected version is prior to commit 1.30.0."}], "id": "CVE-2026-40449", "lastModified": "2026-04-22T07:16:13.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "PSIRT@samsung.com", "type": "Secondary"}]}, "published": "2026-04-22T07:16:13.450", "references": [{"source": "PSIRT@samsung.com", "url": "https://github.com/Samsung/ONE/pull/16481"}], "sourceIdentifier": "PSIRT@samsung.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "PSIRT@samsung.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.30.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "one", "vendor": "samsung_open_source"}], "analysis": {"en": {"generated_at": "2026-04-22T07:25:38.784257+00:00", "value": {"mitigation_remediation": ["Upgrade to Samsung ONE 1.30.0 or later, where the integer overflow issue is fixed.", "If upgrading is unavailable, enforce strict validation on tensor dimensions to restrict them below a safe threshold before buffer size calculation.", "Implement runtime memory bounds checks or sandbox the tensor processing component to contain any potential memory corruption."], "summary": {"action": "Apply Patch", "impact": "Memory corruption via out-of-bounds"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Samsung Open Source ONE platform. Versions released before the 1.30.0 commit are vulnerable. The specific affected build references commit history and indicates that all releases prior to that point use the vulnerable buffer size calculation.", "description_and_impact": "Integer overflow in the buffer size calculation within Samsung Open Source ONE can cause out-of-bounds memory access when the system processes large tensors. This flaw could lead to memory corruption, potentially resulting in a denial of service or enabling further exploitation if an attacker can influence the contents of the corrupted memory. The flaw is classified as CWE\u2011190, reflecting a classic integer overflow weakness.", "risk_and_exploitability": "The CVSS score is 6.6, indicating medium severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploitation. Likely attack vectors involve feeding excessively large tensors into the system; if the platform offers a remote API, an unauthenticated or authenticated attacker could trigger the overflow by submitting a crafted payload, while a local attacker would need access to run code with sufficient privilege to manipulate tensor inputs."}}}}, "created": "2026-04-22T07:30:11.593337+00:00", "title": "Integer Overflow in Buffer Size Calculation Causing Out\u2011of\u2011Bounds Memory Access in Samsung ONE", "updated": "2026-04-22T11:44:40.282158+00:00", "vendors": ["samsung_open_source", "samsung_open_source$PRODUCT$one"]}