CVE-2026-40504
Received Received - Intake
Heap Buffer Overflow in Creolabs Gravity Enables Code Execution

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: VulnCheck

Description
Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40504
EUVD
EUVD-2026-23145
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
creolabs gravity to 0.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40504 is a critical heap buffer overflow vulnerability in Creolabs Gravity versions before 0.9.6. It occurs in the gravity_vm_exec function when executing scripts that contain many string literals at the global scope combined with recursion.

The root cause is insufficient bounds checking in the gravity_fiber_reassign() function, which allows the virtual machine's fiber stack to be written out of bounds. This leads to heap memory corruption by writing beyond the allocated stack memory region.

Attackers can exploit this flaw by crafting malicious scripts that trigger out-of-bounds writes, corrupting heap metadata and potentially achieving arbitrary code execution in applications that evaluate untrusted scripts.

Impact Analysis

This vulnerability can have severe impacts including arbitrary code execution, which means an attacker can run malicious code within the context of the vulnerable application.

Because the vulnerability is remotely exploitable without any privileges or user interaction, attackers can compromise confidentiality, integrity, and availability of the affected system.

Exploitation can lead to crashes, data corruption, or full system compromise depending on how the vulnerable application is used.

Detection Guidance

This vulnerability can be detected by running the Gravity interpreter or application compiled with AddressSanitizer (ASAN) enabled. Executing a proof-of-concept (PoC) script that contains many global string literals combined with recursion will trigger a heap-buffer-overflow error reported by ASAN.

Specifically, compiling Gravity with the compiler flag `-fsanitize=address` and then running the PoC script (`poc.gravity`) will produce an ASAN error indicating a heap-buffer-overflow at a particular memory address, pointing to the `gravity_vm_exec` function.

Without ASAN, the binary may crash with errors such as `realloc(): invalid next size`, indicating heap corruption.

  • Compile Gravity with ASAN: `clang -fsanitize=address -g -o gravity gravity.c ...`
  • Run the PoC script to trigger the overflow: `./gravity poc.gravity`
Mitigation Strategies

The immediate mitigation step is to upgrade Creolabs Gravity to version 0.9.6 or later, where this vulnerability has been fixed.

Version 0.9.6 includes fixes that prevent the heap buffer overflow by improving stack overflow detection, properly managing fiber stack pointers, and preventing memory corruption.

Additionally, the update introduces configurable stack size limits and better error handling to avoid crashes and infinite recursion.

If upgrading immediately is not possible, avoid evaluating untrusted scripts that contain many global string literals or deep recursion, as these trigger the vulnerability.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-40504 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart