CVE-2026-40504
Heap Buffer Overflow in Creolabs Gravity Enables Code Execution
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creolabs | gravity | to 0.9.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40504 is a critical heap buffer overflow vulnerability in Creolabs Gravity versions before 0.9.6. It occurs in the gravity_vm_exec function when executing scripts that contain many string literals at the global scope combined with recursion.
The root cause is insufficient bounds checking in the gravity_fiber_reassign() function, which allows the virtual machine's fiber stack to be written out of bounds. This leads to heap memory corruption by writing beyond the allocated stack memory region.
Attackers can exploit this flaw by crafting malicious scripts that trigger out-of-bounds writes, corrupting heap metadata and potentially achieving arbitrary code execution in applications that evaluate untrusted scripts.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including arbitrary code execution, which means an attacker can run malicious code within the context of the vulnerable application.
Because the vulnerability is remotely exploitable without any privileges or user interaction, attackers can compromise confidentiality, integrity, and availability of the affected system.
Exploitation can lead to crashes, data corruption, or full system compromise depending on how the vulnerable application is used.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the Gravity interpreter or application compiled with AddressSanitizer (ASAN) enabled. Executing a proof-of-concept (PoC) script that contains many global string literals combined with recursion will trigger a heap-buffer-overflow error reported by ASAN.
Specifically, compiling Gravity with the compiler flag `-fsanitize=address` and then running the PoC script (`poc.gravity`) will produce an ASAN error indicating a heap-buffer-overflow at a particular memory address, pointing to the `gravity_vm_exec` function.
Without ASAN, the binary may crash with errors such as `realloc(): invalid next size`, indicating heap corruption.
- Compile Gravity with ASAN: `clang -fsanitize=address -g -o gravity gravity.c ...`
- Run the PoC script to trigger the overflow: `./gravity poc.gravity`
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Creolabs Gravity to version 0.9.6 or later, where this vulnerability has been fixed.
Version 0.9.6 includes fixes that prevent the heap buffer overflow by improving stack overflow detection, properly managing fiber stack pointers, and preventing memory corruption.
Additionally, the update introduces configurable stack size limits and better error handling to avoid crashes and infinite recursion.
If upgrading immediately is not possible, avoid evaluating untrusted scripts that contain many global string literals or deep recursion, as these trigger the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-40504 on compliance with common standards and regulations such as GDPR or HIPAA.