CVE-2026-12216
Received Received - Intake
Memory Corruption in Duktape JavaScript Engine

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulDB

Description
A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-12216
EUVD
EUVD-2026-36689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
svaarala duktape to 2.99.99 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The CVE-2026-12216 vulnerability is an out-of-bounds (OOB) read issue in the Duktape JavaScript engine's bytecode loader, specifically in the file duk_api_bytecode.c. It occurs because the bounds checking macro (DUK_ASSERT) is disabled in Release builds, allowing crafted bytecode with an inflated instruction count (count_instr) and a truncated buffer to cause the loader to read beyond the allocated heap memory. This results in the loader interpreting random heap data as valid bytecode instructions.

An attacker with local access can exploit this by providing malformed bytecode that tricks the loader into reading 4 bytes past the buffer boundary, potentially leading to memory corruption or information disclosure.

Impact Analysis

This vulnerability can lead to memory corruption or information disclosure in applications using the Duktape engine in Release builds. Since the loader reads beyond the intended memory boundary, it may expose sensitive data or cause unintended behavior, potentially compromising the security and stability of the affected application.

The attack requires local access, so an attacker must have some level of access to the system to exploit this vulnerability.

Detection Guidance

This vulnerability involves an out-of-bounds read in Duktape's bytecode loader due to disabled bounds checking in Release builds. Detection involves identifying if your system is running a vulnerable version of svaarala duktape (up to 2.99.99) and if it processes bytecode files that could be manipulated.

Since the exploit requires local access and involves malformed bytecode with an inflated instruction count, detection can focus on monitoring for suspicious or malformed bytecode files being loaded.

There are no specific commands provided in the resources to detect this vulnerability directly on your system or network.

Mitigation Strategies

Immediate mitigation steps include restricting local access to systems running vulnerable versions of svaarala duktape to prevent exploitation.

Avoid processing untrusted or malformed bytecode files that could exploit the out-of-bounds read.

Since the vulnerability arises because the DUK_ASSERT macro is disabled in Release builds, consider using debug builds or enabling bounds checking if possible.

Monitor for updates or patches from the vendor, although the vendor has not responded to this disclosure yet.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12216. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart