CVE-2026-6840
Received Received - Intake
Out-of-Bounds Operator-Code Lookup in Model Loader Before

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Samsung TV & Appliance

Description
Missing bounds validation for operator could allow out of range operator-code lookup during model loading Affected version is prior to commit 1.30.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6840
EUVD
EUVD-2026-24629
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samsung operator_code_lookup to 1.30.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is caused by missing bounds validation for an operator, which could allow an out of range operator-code lookup during model loading.

It affects versions prior to commit 1.30.0.

Impact Analysis

The vulnerability has a CVSS v3.1 base score of 5.5, indicating a moderate severity.

It requires local attack vector with low attack complexity and no privileges required, but user interaction is needed.

The impact is on availability (A:H), meaning it could cause a denial of service or crash during model loading.

There is no impact on confidentiality or integrity.

Compliance Impact

The vulnerability described involves missing bounds validation that could allow out of range operator-code lookup during model loading, with an impact on availability (CVSS 5.5, AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). There is no indication that this vulnerability affects confidentiality or integrity of data.

Since the vulnerability does not impact confidentiality or integrity, it is unlikely to directly affect compliance with data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the impact on availability could have indirect compliance implications if the affected system is critical for maintaining required service levels or data availability under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart