CVE-2026-40504

CVSS v3.1

9.8

Critical

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Creolabs Gravity versions prior to 0.9.6

Description A heap buffer overflow exists in the gravity vm exec() function. This issue allows attackers to write out-of-bounds memory by crafting scripts containing numerous string literals at the global scope. Furthermore, insufficient bounds checking in the gravity fiber reassign() function can be exploited to corrupt heap metadata, potentially leading to arbitrary code execution in applications that evaluate untrusted scripts.

Recommendations Update to version 0.9.6 or later.

Fix

RCE

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-122

Related Identifiers

CVE-2026-40504

Affected Products

Gravity

CVE-2026-40504

Weakness Enumeration

Related Identifiers

Affected Products

References · 9