CVE-2026-40504
Published: 16 April 2026
Summary
CVE-2026-40504 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Creolabs Gravity, an embeddable scripting language and virtual machine, versions prior to 0.9.6, contains a heap buffer overflow vulnerability identified as CVE-2026-40504. The flaw resides in the gravity_vm_exec function, stemming from insufficient bounds checking in gravity_fiber_reassign(). This allows attackers to write out-of-bounds memory by supplying crafted scripts featuring numerous string literals at global scope, potentially corrupting heap metadata. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow).
Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges or user interaction required. Exploitation involves delivering a malicious script to applications that evaluate untrusted input via the Gravity VM, such as custom applications embedding the interpreter. Successful exploitation enables heap metadata corruption, leading to arbitrary code execution within the context of the vulnerable application.
Mitigation is addressed in the official Gravity repository, where version 0.9.6 resolves the issue through a specific commit (18b9195598d9b944376754c6d1ad76e38a4adca1). Security practitioners should update affected applications to Gravity 0.9.6 or later and avoid evaluating untrusted scripts until patching is complete, as detailed in the project issue tracker (issues/437) and VulnCheck advisory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23145
Vulnerability details
Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to…
more
corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in embeddable scripting VM enables remote arbitrary code execution via crafted scripts supplied to applications evaluating untrusted input, directly facilitating exploitation for client execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap buffer overflow by requiring timely remediation through patching to Gravity 0.9.6 or later as specified in the advisory.
Implements memory protection mechanisms such as heap cookies and bounds checking to prevent out-of-bounds writes and heap metadata corruption from crafted scripts.
Validates untrusted script inputs to the Gravity VM, addressing insufficient bounds checking in gravity_fiber_reassign() that enables the overflow.