CVE-2026-40448

Description

Potential Integer overflow in tensor allocation size calculation could lead to insufficient memory allocation for large tensors in Samsung Open Source ONE. Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Open Source ONE < commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-40448: Integer Overflow in Tensor Allocation
 * This code demonstrates the logic flaw where size calculation overflows.
 */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

// Simulating the vulnerable function
void vulnerable_tensor_alloc(size_t dim1, size_t dim2, size_t element_size) {
    printf("Allocating tensor: %zux%zu, size: %zu\n", dim1, dim2, element_size);

    // Vulnerable calculation: dim1 * dim2 * element_size
    // If inputs are large enough, this multiplication overflows
    size_t total_size = dim1 * dim2 * element_size;

    printf("Calculated allocation size: %zu\n", total_size);

    // Allocating based on the overflowed size (too small)
    void *buffer = malloc(total_size);
    if (!buffer) {
        perror("malloc failed");
        return;
    }

    // Attempting to fill the buffer with the expected (large) size
    // This will cause a heap overflow
    printf("Attempting to write to buffer...\n");
    for (size_t i = 0; i < dim1 * dim2; i++) {
        // ((char*)buffer)[i * element_size] = 0; // Crash would happen here
    }
    
    free(buffer);
}

int main() {
    // Inputs designed to trigger integer overflow (e.g., on 32-bit size_t or specific large values)
    // Example: 0x10000 * 0x10000 * 4 = 0x100000000 -> 0 on 32-bit wrap
    size_t large_dim = 0x100000; 
    size_t elem_size = 4;

    vulnerable_tensor_alloc(large_dim, large_dim, elem_size);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40448
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40448
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40448/
[4] VulDB https://vuldb.com/cve/CVE-2026-40448
[5] https://github.com/Samsung/ONE/pull/16481

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40448", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:12.500", "lastModified": "2026-04-27T18:18:38.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Potential Integer overflow in tensor allocation size calculation could lead to insufficient memory allocation for large tensors in Samsung Open Source ONE.\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}