Skip to main content

Duktape CVE-2026-12216

| EUVDEUVD-2026-36689 LOW
Buffer Overflow (CWE-119)
2026-06-15 cna@vuldb.com GHSA-3p43-j8hp-v57p
1.9
CVSS 4.0 · Vendor: vuldb

Severity by source

Vendor (vuldb) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Local attack vector and low privileges required to supply malicious bytecode; no scope change, with limited confidentiality, integrity, and availability impact confined to the host process.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vuldb).

CVSS VectorVendor: vuldb

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 04:33 vuln.today

DescriptionCVE.org

A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Memory corruption in Duktape's bytecode API (duk_api_bytecode.c) allows local low-privilege attackers to corrupt process memory by supplying a crafted count_instr argument during bytecode processing. All Duktape versions up to 2.99.99 are affected. A public proof-of-concept exploit exists, though the CVSS 4.0 score of 1.9 reflects constrained real-world impact - local access and low privileges are required, and confidentiality, integrity, and availability impact is rated low. No patch is available; the vendor did not respond to coordinated disclosure.

Technical ContextAI

Duktape (svaarala/duktape) is a lightweight, embeddable ECMAScript E5/E5.1 engine written in C, commonly used in IoT firmware, game scripting, and resource-constrained environments. The vulnerability resides in duk_api_bytecode.c, which handles serialization and deserialization of compiled JavaScript bytecode - functions such as duk_dump_function and duk_load_function operate on this code path. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) identifies the root cause as insufficient validation of the count_instr parameter, which controls instruction-count bookkeeping during bytecode parsing. A malformed value can cause out-of-bounds buffer operations, leading to memory corruption within the host process. No CPE strings were included in the source data; the affected product is identified by VulDB as svaarala/duktape through version 2.99.99.

RemediationAI

No vendor-released patch has been identified at time of analysis; the vendor (svaarala) did not respond to coordinated disclosure, and no fixed version has been confirmed from any reference. The most effective compensating control is to avoid loading Duktape bytecode blobs (via duk_load_function or equivalent) from any untrusted or user-controlled source - restricting bytecode input to internally compiled, trusted sources eliminates the attack surface entirely, with no functional trade-off for most deployments. Where Duktape is embedded in multi-user or shared environments, sandboxing or containerizing the host process (e.g., via Linux namespaces or seccomp profiles) limits memory corruption impact to the isolated process and prevents privilege escalation or lateral movement. Monitor the Duktape GitHub repository and VulDB entry https://vuldb.com/vuln/370859 for any upstream patch commits or tagged releases addressing this issue.

Share

CVE-2026-12216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy