Cyber Resilience

CVE-2026-40504

CriticalPublic PoC

Published: 16 April 2026

Published
16 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0064 45.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40504 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

Creolabs Gravity, an embeddable scripting language and virtual machine, versions prior to 0.9.6, contains a heap buffer overflow vulnerability identified as CVE-2026-40504. The flaw resides in the gravity_vm_exec function, stemming from insufficient bounds checking in gravity_fiber_reassign(). This allows attackers to write out-of-bounds memory by supplying crafted scripts featuring numerous string literals at global scope, potentially corrupting heap metadata. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow).

Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges or user interaction required. Exploitation involves delivering a malicious script to applications that evaluate untrusted input via the Gravity VM, such as custom applications embedding the interpreter. Successful exploitation enables heap metadata corruption, leading to arbitrary code execution within the context of the vulnerable application.

Mitigation is addressed in the official Gravity repository, where version 0.9.6 resolves the issue through a specific commit (18b9195598d9b944376754c6d1ad76e38a4adca1). Security practitioners should update affected applications to Gravity 0.9.6 or later and avoid evaluating untrusted scripts until patching is complete, as detailed in the project issue tracker (issues/437) and VulnCheck advisory.

EU & UK References

Vulnerability details

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to…

more

corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in embeddable scripting VM enables remote arbitrary code execution via crafted scripts supplied to applications evaluating untrusted input, directly facilitating exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40363Shared CWE-122
CVE-2025-59295Shared CWE-122
CVE-2025-21266Shared CWE-122
CVE-2026-25713Shared CWE-122
CVE-2026-5272Shared CWE-122
CVE-2026-8509Shared CWE-122
CVE-2025-21171Shared CWE-122
CVE-2026-23530Shared CWE-122
CVE-2026-23532Shared CWE-122
CVE-2026-23531Shared CWE-122

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the heap buffer overflow by requiring timely remediation through patching to Gravity 0.9.6 or later as specified in the advisory.

prevent

Implements memory protection mechanisms such as heap cookies and bounds checking to prevent out-of-bounds writes and heap metadata corruption from crafted scripts.

prevent

Validates untrusted script inputs to the Gravity VM, addressing insufficient bounds checking in gravity_fiber_reassign() that enables the overflow.

References