Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector and low privileges required to supply malicious bytecode; no scope change, with limited confidentiality, integrity, and availability impact confined to the host process.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Memory corruption in Duktape's bytecode API (duk_api_bytecode.c) allows local low-privilege attackers to corrupt process memory by supplying a crafted count_instr argument during bytecode processing. All Duktape versions up to 2.99.99 are affected. A public proof-of-concept exploit exists, though the CVSS 4.0 score of 1.9 reflects constrained real-world impact - local access and low privileges are required, and confidentiality, integrity, and availability impact is rated low. No patch is available; the vendor did not respond to coordinated disclosure.
Technical ContextAI
Duktape (svaarala/duktape) is a lightweight, embeddable ECMAScript E5/E5.1 engine written in C, commonly used in IoT firmware, game scripting, and resource-constrained environments. The vulnerability resides in duk_api_bytecode.c, which handles serialization and deserialization of compiled JavaScript bytecode - functions such as duk_dump_function and duk_load_function operate on this code path. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) identifies the root cause as insufficient validation of the count_instr parameter, which controls instruction-count bookkeeping during bytecode parsing. A malformed value can cause out-of-bounds buffer operations, leading to memory corruption within the host process. No CPE strings were included in the source data; the affected product is identified by VulDB as svaarala/duktape through version 2.99.99.
RemediationAI
No vendor-released patch has been identified at time of analysis; the vendor (svaarala) did not respond to coordinated disclosure, and no fixed version has been confirmed from any reference. The most effective compensating control is to avoid loading Duktape bytecode blobs (via duk_load_function or equivalent) from any untrusted or user-controlled source - restricting bytecode input to internally compiled, trusted sources eliminates the attack surface entirely, with no functional trade-off for most deployments. Where Duktape is embedded in multi-user or shared environments, sandboxing or containerizing the host process (e.g., via Linux namespaces or seccomp profiles) limits memory corruption impact to the isolated process and prevents privilege escalation or lateral movement. Monitor the Duktape GitHub repository and VulDB entry https://vuldb.com/vuln/370859 for any upstream patch commits or tagged releases addressing this issue.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36689
GHSA-3p43-j8hp-v57p