top of page
perceptive_background_267k.jpg

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory …

Published:

15 april 2026 om 22:00:00

Alert date:

16 april 2026 om 03:01:15

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies

CVE-2026-40504 is a heap buffer overflow vulnerability in Creolabs Gravity before version 0.9.6. The vulnerability exists in the gravity_vm_exec function and allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata. This can lead to arbitrary code execution in applications that evaluate untrusted scripts. The vulnerability has been patched in version 0.9.6.

Technical details

Mitigation steps:

Affected products:

Creolabs Gravity

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40504
https://github.com/marcobambini/gravity/commit/18b9195598d9b944376754c6d1ad76e38a4adca1
https://github.com/marcobambini/gravity/issues/437
https://github.com/marcobambini/gravity/releases/tag/0.9.6
https://www.vulncheck.com/advisories/creolabs-gravity-heap-buffer-overflow-via-gravity-vm-exec

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page