{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40504", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-13T20:29:02.808Z", "datePublished": "2026-04-16T01:10:27.364Z", "dateUpdated": "2026-04-16T01:10:27.364Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-16T01:10:27.364Z"}, "title": "Creolabs Gravity < 0.9.6 Heap Buffer Overflow via gravity_vm_exec", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "type": "CWE"}]}], "affected": [{"vendor": "marcobambini", "product": "gravity", "repo": "https://github.com/marcobambini/gravity", "versions": [{"status": "affected", "version": "0", "lessThan": "0.9.6", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "18b9195598d9b944376754c6d1ad76e38a4adca1", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.<br>"}]}], "references": [{"url": "https://github.com/marcobambini/gravity/releases/tag/0.9.6", "tags": ["release-notes"]}, {"url": "https://github.com/marcobambini/gravity/issues/437", "tags": ["issue-tracking"]}, {"url": "https://github.com/marcobambini/gravity/commit/18b9195598d9b944376754c6d1ad76e38a4adca1", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/creolabs-gravity-heap-buffer-overflow-via-gravity-vm-exec", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "segv0x", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts."}], "id": "CVE-2026-40504", "lastModified": "2026-04-16T02:16:11.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-16T02:16:11.693", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/marcobambini/gravity/commit/18b9195598d9b944376754c6d1ad76e38a4adca1"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/marcobambini/gravity/issues/437"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/marcobambini/gravity/releases/tag/0.9.6"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/creolabs-gravity-heap-buffer-overflow-via-gravity-vm-exec"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T02:12:51.844597+00:00", "value": {"mitigation_remediation": ["Update to gravity version 0.9.6 or later, which includes the heap overflow fix.", "If an upgrade cannot be performed immediately, disable or tightly restrict the execution of untrusted scripts within applications that embed Gravity.", "Monitor application logs for signs of memory corruption or abnormal execution patterns that might indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects instances of Creolabs Gravity packaged under the marcobambini:gravity identifier. All releases prior to version 0.9.6 are vulnerable; versions 0.9.6 and later contain the necessary patch.", "description_and_impact": "Creolabs Gravity before 0.9.6 contains a heap buffer overflow in the gravity_vm_exec function that lets an attacker create scripts with an abundance of global string literals to trigger insufficient bounds checking in gravity_fiber_reassign(). This out\u2011of\u2011bounds write corrupts heap metadata and can be leveraged to run arbitrary code wherever the Gravity VM evaluates untrusted scripts, directly compromising confidentiality, integrity, and availability of the affected application.", "risk_and_exploitability": "With a CVSS score of 9.3 the flaw is rated critical. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, so on\u2011demand exploitation is not widely known. However, the attack vector is clear: an attacker who can supply a Gravity script containing many string literals at the global scope can trigger the overflow and achieve arbitrary code execution. The required conditions are typical of any application that allows customers to run arbitrary scripts through the Gravity engine."}}}}, "created": "2026-04-16T02:15:21.323361+00:00", "updated": "2026-04-16T02:15:21.323372+00:00", "vendors": []}