CVE-2026-41667

Description

Integer overflow in constant tensor data size calculation in Samsung Open Source ONE could cause incorrect buffer sizing for large constant nodes. Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Open Source ONE < commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

// Simulating the vulnerable constant tensor size calculation
void calculate_tensor_size(size_t dim1, size_t dim2) {
    printf("Calculating size for dims: %zu x %zu\n", dim1, dim2);
    
    // Vulnerability: Integer overflow occurs here if dims are too large
    // This mimics the logic in Samsung Open Source ONE prior to 1.30.0
    size_t total_size = dim1 * dim2;

    printf("Calculated total size: %zu\n", total_size);

    // Buffer allocation based on incorrect size
    char *buffer = (char *)malloc(total_size);
    
    if (buffer == NULL) {
        printf("Memory allocation failed.\n");
        return;
    }

    // Simulate writing data to the buffer
    // If overflow occurred, this write will exceed the allocated buffer
    printf("Writing data to buffer...\n");
    for(size_t i = 0; i < dim1 * dim2; i++) {
        buffer[i] = 'A'; // Potential buffer overflow
    }

    free(buffer);
}

int main() {
    // Trigger condition: Large values causing integer overflow
    // Example values that would cause wrap-around in 64-bit multiplication
    size_t large_dim = 0x100000000; 
    
    printf("--- PoC for CVE-2026-41667 ---\n");
    calculate_tensor_size(large_dim, large_dim);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41667
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41667
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41667/
[4] VulDB https://vuldb.com/cve/CVE-2026-41667
[5] https://github.com/Samsung/ONE/pull/16481

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41667", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:13.990", "lastModified": "2026-04-27T18:21:50.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer overflow in constant tensor data size calculation in Samsung Open Source ONE could cause incorrect buffer sizing for large constant nodes.\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}