{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6840", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "state": "PUBLISHED", "assignerShortName": "samsung.tv_appliance", "dateReserved": "2026-04-22T06:03:55.371Z", "datePublished": "2026-04-22T06:08:31.789Z", "dateUpdated": "2026-04-22T12:29:22.002Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-22T06:08:31.789Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-129", "description": "CWE-129 Improper validation of array index", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "ONE", "versions": [{"status": "affected", "version": "1.30.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing bounds validation for operator could allow out of range operator-code lookup during model loading\nAffected version is prior to commit 1.30.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing bounds validation for operator could allow out of range operator-code lookup during model loading<br>Affected version is prior to commit 1.30.0."}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T12:29:12.965556Z", "id": "CVE-2026-6840", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:29:22.002Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6840", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T12:29:12.965556Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:29:17.238Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Samsung Open Source", "product": "ONE", "versions": [{"status": "affected", "version": "1.30.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Missing bounds validation for operator could allow out of range operator-code lookup during model loading\nAffected version is prior to commit 1.30.0.", "supportingMedia": [{"type": "text/html", "value": "Missing bounds validation for operator could allow out of range operator-code lookup during model loading<br>Affected version is prior to commit 1.30.0.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129 Improper validation of array index"}]}], "providerMetadata": {"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "shortName": "samsung.tv_appliance", "dateUpdated": "2026-04-22T06:08:31.789Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6840", "state": "PUBLISHED", "dateUpdated": "2026-04-22T12:29:22.002Z", "dateReserved": "2026-04-22T06:03:55.371Z", "assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe", "datePublished": "2026-04-22T06:08:31.789Z", "assignerShortName": "samsung.tv_appliance"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing bounds validation for operator could allow out of range operator-code lookup during model loading\nAffected version is prior to commit 1.30.0."}], "id": "CVE-2026-6840", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "PSIRT@samsung.com", "type": "Secondary"}]}, "published": "2026-04-22T07:16:15.067", "references": [{"source": "PSIRT@samsung.com", "url": "https://github.com/Samsung/ONE/pull/16481"}], "sourceIdentifier": "PSIRT@samsung.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "PSIRT@samsung.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.30.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "one", "vendor": "samsung_open_source"}], "analysis": {"en": {"generated_at": "2026-04-22T07:22:54.391791+00:00", "value": {"mitigation_remediation": ["Upgrade Samsung Open Source:ONE to commit 1.30.0 or newer to apply the missing bounds check.", "If upgrading is not immediately possible, avoid loading untrusted or externally supplied model files until a fix is deployed.", "Monitor Samsung's release notes and apply any subsequent patch as soon as it becomes available."], "summary": {"action": "Apply Patch", "impact": "Arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The affected product is Samsung Open Source:ONE. Versions prior to commit 1.30.0 are vulnerable. No specific sub\u2011product names are provided, so all releases of the framework before that commit are impacted.", "description_and_impact": "The vulnerability arises from a missing bounds check in the operator lookup logic used when loading model files in Samsung Open Source:ONE. If an attacker supplies a model file containing an operator index outside the valid range, the program may read memory beyond the intended array boundaries. This out\u2011of\u2011bounds access can lead to memory corruption, potentially allowing the attacker to execute arbitrary code or cause a denial of service. The weakness corresponds to CWE\u2011129, indicating a signed integer overflow or out\u2011of\u2011range index issue. Based on the description, it is inferred that an attacker can supply a malicious model file to trigger the flaw during the loading process.", "risk_and_exploitability": "The CVSS v3 score is 5.5, indicating a medium severity vulnerability. No EPSS data is available, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is local execution of a crafted model during the loading process; no network exposure is described, so exploitation requires an attacker that can influence the model loading operation. Given the moderate CVSS score and lack of exploitation evidence, the overall risk is medium, but the potential impact of arbitrary code execution warrants prompt attention."}}}}, "created": "2026-04-22T07:30:11.591701+00:00", "title": "Out-of-Bounds Operator-Code Lookup During Model Loading in Samsung ONE", "updated": "2026-04-22T11:44:32.539700+00:00", "vendors": ["samsung_open_source", "samsung_open_source$PRODUCT$one"]}