CVE-2026-40450

Description

Integer overflow in output tensor copy size calculation in Samsung Open Source ONE could cause incorrect copy length and memory corruption for oversized tensors. Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Open Source ONE < commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import numpy as np

# Conceptual PoC for Integer Overflow in Tensor Copy Size Calculation
# Target: Samsung Open Source ONE (prior to commit 1.30.0)

def trigger_overflow():
    # Attempt to create dimensions that cause size calculation to overflow
    # Example: max 32-bit int is 2147483647.
    # If we calculate dim1 * dim2 * element_size, it wraps around.
    
    # Simulating a large tensor dimension that causes overflow in size_t calculation
    # Assuming the vulnerability occurs in C++ backend logic handling tensor copying
    
    dimensions = [0x10000, 0x10000, 0x10000] 
    # 0x10000 * 0x10000 * 0x10000 = 2^48, which overflows a 32-bit signed integer
    
    print("[*] Attempting to allocate/copy tensor with dimensions causing integer overflow...")
    
    try:
        # In a real scenario, this would be passed to the vulnerable ONE API
        # payload = malicious_tensor_data
        # vulnerable_api_copy_function(payload)
        print("[+] Payload constructed. If vulnerable, memory corruption occurs during copy.")
    except Exception as e:
        print(f"[-] Exception occurred: {e}")

if __name__ == "__main__":
    trigger_overflow()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-40450
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-40450
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-40450/
[4] VulDB https://vuldb.com/cve/CVE-2026-40450
[5] https://github.com/Samsung/ONE/pull/16481

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-40450", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:13.553", "lastModified": "2026-04-27T18:21:09.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in output tensor copy size calculation in Samsung Open Source ONE could cause incorrect copy length and memory corruption for oversized tensors.\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}