CVE Catalog

CVE-2026-40504

Critical
Published: Translated: NVD NIST

Summary

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.

Risk Assessment

This vulnerability poses a significant risk to organizations by allowing attackers to execute arbitrary code within the context of applications, potentially leading to data loss or system compromise. Applications processing untrusted scripts are particularly vulnerable.

Recommendation

It is recommended to update Creolabs Gravity to version 0.9.6 or later to mitigate this vulnerability. Additionally, precautions should be taken when evaluating and executing scripts from untrusted sources.

Original NVD description (English source)

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS