CVE-2026-40449

Description

Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE. Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Open Source ONE < commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-40449
 * Demonstrates triggering integer overflow by creating large tensor dimensions.
 */

#include <stdio.h>
#include <stdint.h>

// Simulating the vulnerable buffer size calculation
void simulate_vulnerable_calc(size_t dim_a, size_t dim_b, size_t elem_size) {
    printf("Calculating buffer size for dims: %zu x %zu, elem_size: %zu\n", dim_a, dim_b, elem_size);
    
    // Vulnerable calculation: potential overflow here
    size_t required_size = dim_a * dim_b * elem_size;
    
    printf("Calculated required size: %zu\n", required_size);
    
    if (required_size < dim_a) { // Simple check for overflow
        printf("[!] Integer Overflow detected! Size wrapped around.\n");
    } else {
        printf("[+] Size seems valid (may still be vulnerable depending on allocation logic).\n");
    }
}

int main() {
    // Dimensions chosen to trigger 32-bit or 64-bit overflow depending on arch
    size_t large_dim = 0x100000000; 
    size_t elem_size = 4; // e.g., float32
    
    simulate_vulnerable_calc(large_dim, large_dim, elem_size);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40449
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40449
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40449/
[4] VulDB https://vuldb.com/cve/CVE-2026-40449
[5] https://github.com/Samsung/ONE/pull/16481

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40449", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:13.450", "lastModified": "2026-04-27T18:21:02.313", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE.\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}