CVE-2026-41664

Description

Integer overflow in memory copy size calculation in Samsung Open Source ONE could lead to invalid memory operations with large tensor shapes. Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Open Source ONE < Commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for Integer Overflow in Tensor Size Calculation
# Target: Samsung Open Source ONE < 1.30.0
# This script demonstrates the logic that triggers the overflow.

def calculate_tensor_size(dimensions, dtype_size=4):
    """
    Simulates the vulnerable size calculation logic.
    """
    size = 1
    for dim in dimensions:
        size *= dim
    
    # Simulate 32-bit integer overflow (wrap around)
    MAX_UINT32 = 0xFFFFFFFF
    if size > MAX_UINT32:
        size = size % (MAX_UINT32 + 1)
        
    return size * dtype_size

# Scenario: Attacker crafts a tensor with dimensions that cause overflow
# Example: A tensor with shape [0x10000, 0x10000] of 4-byte floats
# Actual size = 0x10000 * 0x10000 * 4 = 2^32 * 4 bytes (Huge)
# Calculated size (32-bit) = 0 * 4 = 0 bytes

malicious_shape = [0x10000, 0x10000]
allocated_buffer_size = calculate_tensor_size(malicious_shape)

print(f"Malicious Shape: {malicious_shape}")
print(f"Allocated Buffer Size (based on overflowed calc): {allocated_buffer_size} bytes")
print("Vulnerability Triggered: attempting to copy massive data into tiny buffer...")

# Real-world exploitation would involve passing this tensor to the ONE runtime,
# causing a crash or memory corruption during the memcpy operation.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41664
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41664
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41664/
[4] VulDB https://vuldb.com/cve/CVE-2026-41664
[5] https://github.com/Samsung/ONE/pull/16481

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41664", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:13.657", "lastModified": "2026-04-27T18:21:20.907", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in memory copy size calculation in Samsung Open Source ONE could lead to invalid memory operations with large tensor shapes.\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}