CVE-2026-4010
Received Received - Intake
Integer Overflow in ThakeeNathees pocketlang Causes Memory Corruption

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in ThakeeNathees pocketlang up to cc73ca61b113d48ee130d837a7a8b145e41de5ce. The affected element is the function pkByteBufferAddString. The manipulation of the argument length with the input 4294967290 results in memory corruption. The attack requires a local approach. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4010
EUVD
EUVD-2026-11544
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thakeenathees pocketlang to cc73ca61b113d48ee130d837a7a8b145e41de5ce (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4010 is a memory corruption vulnerability in the function pkByteBufferAddString of ThakeeNathees' pocketlang. It occurs when the function processes an argument length with the value 4294967290, which is an integer underflow leading to an extremely large length value."}, {'type': 'paragraph', 'content': 'This causes the program to write beyond the allocated buffer size, resulting in a heap buffer overflow and segmentation fault (crash). The vulnerability is triggered when the compiler tries to report a "Non terminated string" error, and the error-reporting logic itself causes the overflow.'}, {'type': 'paragraph', 'content': 'Additional related issues include null function pointer dereference during parsing and type confusion causing invalid memory access, all leading to crashes and potential exploitation.'}] [1, 2, 4]

Impact Analysis

This vulnerability can cause the pocketlang compiler or runtime to crash due to memory corruption, resulting in denial of service.

Since the attack requires local access and specially crafted malformed input, an attacker with local access could exploit this to disrupt system availability.

The impact is primarily on system stability and availability, as the memory corruption leads to segmentation faults and crashes.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by running the pocketlang compiler with specially crafted malformed input scripts that trigger the error conditions leading to crashes.'}, {'type': 'paragraph', 'content': 'Specifically, the crash occurs when the compiler tries to report a "Non terminated string" error, causing an integer underflow and heap buffer overflow in the function pkByteBufferAddString.'}, {'type': 'paragraph', 'content': 'Detection involves compiling or running pocketlang on Linux x86_64 with Clang in Release mode using malformed scripts that cause segmentation faults (SIGSEGV) at specific source code locations such as src/core/value.c:40.'}, {'type': 'paragraph', 'content': 'Using debugging tools like GDB to observe crashes at pkByteBufferAddString or related functions during compilation of malformed inputs can confirm the presence of the vulnerability.'}, {'type': 'list_item', 'content': 'Run pocketlang compiler with a malformed input file designed to trigger a non-terminated string error.'}, {'type': 'list_item', 'content': 'Use GDB to debug and check for segmentation faults at src/core/value.c line 40 or related crash points.'}] [1, 2]

Mitigation Strategies

Currently, there is no official response or patch from the pocketlang project to address this vulnerability.

Immediate mitigation steps include avoiding the use of pocketlang in environments where local users could exploit this vulnerability.

Consider restricting local access to the system or application running pocketlang to trusted users only.

Monitor for any updates or patches from the project and apply them once available.

As no known countermeasures exist, users are advised to consider alternative products if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart