{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25204", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "state": "PUBLISHED", "assignerShortName": "samsung.tv_appliance", "dateReserved": "2026-01-30T06:07:11.090Z", "datePublished": "2026-04-13T00:47:31.806Z", "dateUpdated": "2026-04-14T07:45:27.372Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-14T07:45:27.372Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-843", "description": "CWE-843 Access of resource using incompatible type ('type confusion')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "Escargot", "versions": [{"status": "affected", "version": "97e8115ab1110bc502b4b5e4a0c689a71520d335"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.\n\nThis issue affects escarogt prior to\u00a0commit hash \n\n97e8115ab1110bc502b4b5e4a0c689a71520d335", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<div>Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.</div><div>This issue affects escarogt prior to&nbsp;commit hash \n\n<span>97e8115ab1110bc502b4b5e4a0c689a71520d335</span>\n\n</div>"}]}], "references": [{"url": "https://github.com/Samsung/escargot/pull/1554"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "LeeJaeWook", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25204", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:36:54.369644Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:06:17.946Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25204", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:36:54.369644Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:58:04.251Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "LeeJaeWook"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "Escargot", "versions": [{"status": "affected", "version": "97e8115ab1110bc502b4b5e4a0c689a71520d335"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/Samsung/escargot/pull/1554"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.\n\nThis issue affects escarogt prior to\u00a0commit hash \n\n97e8115ab1110bc502b4b5e4a0c689a71520d335", "supportingMedia": [{"type": "text/html", "value": "<div>Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.</div><div>This issue affects escarogt prior to&nbsp;commit hash \n\n<span>97e8115ab1110bc502b4b5e4a0c689a71520d335</span>\n\n</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843 Access of resource using incompatible type ('type confusion')"}]}], "providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-14T07:45:27.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25204", "state": "PUBLISHED", "dateUpdated": "2026-04-14T07:45:27.372Z", "dateReserved": "2026-01-30T06:07:11.090Z", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "datePublished": "2026-04-13T00:47:31.806Z", "assignerShortName": "samsung.tv_appliance"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.\n\nThis issue affects escarogt prior to\u00a0commit hash \n\n97e8115ab1110bc502b4b5e4a0c689a71520d335"}], "id": "CVE-2026-25204", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "PSIRT@samsung.com", "type": "Secondary"}]}, "published": "2026-04-13T01:16:35.313", "references": [{"source": "PSIRT@samsung.com", "url": "https://github.com/Samsung/escargot/pull/1554"}], "sourceIdentifier": "PSIRT@samsung.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-843"}], "source": "PSIRT@samsung.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "97e8115ab1110bc502b4b5e4a0c689a71520d335"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Samsung Open Source", "source": "cna", "vendor": "Samsung Open Source escargot JavaScript engine"}, "product": "escargot", "vendor": "samsung_open_source"}], "analysis": {"en": {"generated_at": "2026-04-13T03:50:37.632880+00:00", "value": {"mitigation_remediation": ["Update Escargot to a revision that includes commit 97e8115ab1110bc502b4b5e4a0c689a71520d335 or later.", "If an immediate update is not possible, isolate or sandbox applications that employ Escargot to process external or untrusted JavaScript data, and enforce strict input validation before the deserialization step.", "Monitor system logs for unexpected process abort events and investigate any related anomalies."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is the Samsung Open Source Escargot JavaScript engine. All releases prior to the code change identified by commit hash 97e8115ab1110bc502b4b5e4a0c689a71520d335 are vulnerable; versions containing this commit or later are considered safe.", "description_and_impact": "A flaw exists in the Samsung Open Source Escargot JavaScript engine that allows untrusted serialized data to be processed without sufficient validation. Deserialization of such data can provoke a process abort, effectively halting the engine and causing a denial of service to any application that relies on it. The weakness is rooted in unsafe deserialization practices and improper type handling, as indicated by the associated CWEs.", "risk_and_exploitability": "With a CVSS score of 6.2 the vulnerability is classified as medium severity. The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit this weakness by delivering maliciously crafted serialized data to Escargot\u2014potentially through web content, script files, or other mechanisms that trigger the engine. The effect is limited to service disruption, with no direct path to data exposure or privilege escalation."}}}}, "created": "2026-04-13T12:37:58.335980+00:00", "title": "Denial of Service via Untrusted Data Deserialization in Samsung Escargot", "updated": "2026-04-13T12:53:46.041561+00:00", "vendors": ["samsung_open_source", "samsung_open_source$PRODUCT$escargot"]}