{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41666", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "state": "PUBLISHED", "assignerShortName": "samsung.tv_appliance", "dateReserved": "2026-04-22T00:52:02.298Z", "datePublished": "2026-04-22T05:56:18.693Z", "dateUpdated": "2026-05-03T22:42:44.406Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-05-03T22:42:44.406Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-190", "description": "CWE-190 Integer overflow or wraparound", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "ONE", "versions": [{"status": "affected", "version": "1.30.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.\nAffected version is prior to commit 1.30.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.<br>Affected version is prior to commit 1.30.0.<br>"}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"}}], "credits": [{"lang": "en", "value": "Sebasti\u00e1n Alba Vives", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T12:32:32.183405Z", "id": "CVE-2026-41666", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:33:15.335Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41666", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T12:32:32.183405Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:32:37.367Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sebasti\u00e1n Alba Vives"}], "impacts": [{"capecId": "CAPEC-100", "descriptions": [{"lang": "en", "value": "CAPEC-100 Overflow Buffers"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "ONE", "versions": [{"status": "affected", "version": "1.30.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.\nAffected version is prior to commit 1.30.0.", "supportingMedia": [{"type": "text/html", "value": "Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.<br>Affected version is prior to commit 1.30.0.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer overflow or wraparound"}]}], "providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-05-03T22:42:44.406Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41666", "state": "PUBLISHED", "dateUpdated": "2026-05-03T22:42:44.406Z", "dateReserved": "2026-04-22T00:52:02.298Z", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "datePublished": "2026-04-22T05:56:18.693Z", "assignerShortName": "samsung.tv_appliance"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E", "versionEndExcluding": "1.30.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.\nAffected version is prior to commit 1.30.0."}], "id": "CVE-2026-41666", "lastModified": "2026-04-27T18:21:30.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "PSIRT@samsung.com", "type": "Secondary"}]}, "published": "2026-04-22T07:16:13.867", "references": [{"source": "PSIRT@samsung.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/Samsung/ONE/pull/16481"}], "sourceIdentifier": "PSIRT@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "PSIRT@samsung.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.30.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "one", "vendor": "samsung_open_source"}], "analysis": {"en": {"generated_at": "2026-04-22T07:23:51.245153+00:00", "value": {"mitigation_remediation": ["Upgrade Open Source ONE to commit 1.30.0 or later, which addresses the integer overflow in tensor copy size calculation.", "If an immediate update is not possible, isolate the ONE process from untrusted tensor inputs and validate tensor sizes before copying to prevent out-of-bounds access.", "Monitor the application for abnormal crashes or memory corruption events, and consider disabling or sandboxing tensor operations until the patch is applied."], "summary": {"action": "Apply Patch", "impact": "Out-of-Bounds Access"}, "threat_synthesis": {"affected_systems": "Samsung Open Source ONE for all versions prior to commit 1.30.0. No higher\u2011level product names are provided in the CNA data, but the stated affected-range covers every build before that commit.", "description_and_impact": "Integer overflow occurs during tensor copy size calculation in Samsung Open Source ONE, which can cause the program to read or write memory beyond the intended bounds during loop state propagation. This flaw falls under CWE\u2011190 and may lead to memory corruption, potentially allowing an attacker to disrupt system integrity or, in a worst\u2011case scenario, execute arbitrary code if the bounds violation can be leveraged to overwrite control data.", "risk_and_exploitability": "The CVSS score of 6.6 indicates moderate severity, and the flaw is not listed in the CISA KEV catalog. EPSS is not available, so exploitation likelihood cannot be quantified. The attack vector is inferred to be an attacker able to supply crafted tensor data that triggers the overflow; the flaw does not require privileged access or network exposure, but would likely need local execution within the application. Successful exploitation could corrupt memory, crash the process, or provide a foothold for further compromise if additional vulnerabilities exist."}}}}, "created": "2026-04-22T07:30:11.592359+00:00", "title": "Integer Overflow in Tensor Copy Size Calculation Leading to Out\u2011of\u2011Bounds Access in Samsung Open Source ONE", "updated": "2026-04-22T11:44:35.858086+00:00", "vendors": ["samsung_open_source", "samsung_open_source$PRODUCT$one"]}