Skip to main content

Gravity CVE-2026-40504

| EUVDEUVD-2026-23145 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-04-16 VulnCheck GHSA-3r49-76f3-pf2m
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 16, 2026 - 02:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 02:34 vuln.today
cvss_changed
CVSS changed
Apr 16, 2026 - 02:34 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Apr 16, 2026 - 01:50 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 01:45 euvd
EUVD-2026-23145
Analysis Generated
Apr 16, 2026 - 01:45 vuln.today
Patch released
Apr 16, 2026 - 01:45 nvd
Patch available
CVE Published
Apr 16, 2026 - 01:10 nvd
CRITICAL 9.3

DescriptionCVE.org

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.

AnalysisAI

Heap buffer overflow in Creolabs Gravity scripting language before 0.9.6 enables remote code execution when applications evaluate untrusted scripts containing many string literals at global scope. The vulnerability stems from insufficient bounds checking in gravity_fiber_reassign(), allowing heap metadata corruption. VulnCheck disclosed this issue with a vendor-released patch (commit 18b9195) available. CVSS 9.3 reflects the critical network-accessible, unauthenticated attack vector. No active exploitation (CISA KEV) or public POC identified at time of analysis, but technical details in GitHub issue #437 could facilitate exploit development.

Technical ContextAI

Gravity is an embeddable scripting language (CPE: cpe:2.3:a:marcobambini:gravity) designed for integration into applications requiring dynamic script execution. The vulnerability (CWE-122: Heap-based Buffer Overflow) occurs in the gravity_vm_exec function during virtual machine execution. When processing scripts with numerous string literals at global scope, the gravity_fiber_reassign() function fails to perform adequate bounds checking during fiber memory reassignment operations. This allows attackers to write beyond allocated heap buffer boundaries, corrupting adjacent heap metadata structures. Heap corruption primitives can be leveraged to redirect control flow and achieve arbitrary code execution within the host application's security context. Applications embedding Gravity to parse user-supplied scripts (plugins, configuration files, web request handlers) inherit this risk.

RemediationAI

Vendor-released patch: Upgrade Gravity to version 0.9.6 or apply commit 18b9195598d9b944376754c6d1ad76e38a4adca1 from https://github.com/marcobambini/gravity/commit/18b9195598d9b944376754c6d1ad76e38a4adca1. Release notes at https://github.com/marcobambini/gravity/releases/tag/0.9.6 confirm fixes for heap buffer overflow. If immediate upgrade is not feasible, implement strict input validation to reject scripts with excessive string literals at global scope (detection threshold requires testing, may break legitimate use cases). Deploy Gravity VM in isolated sandboxes with restricted privileges (containers, separate processes with minimal capabilities) to limit post-exploitation impact, though this does not prevent initial code execution. Disable untrusted script evaluation features entirely if not business-critical. Monitor runtime for abnormal heap allocations or crashes in gravity_vm_exec as potential exploitation indicators. All compensating controls are partial mitigations; patching is the only complete remediation.

CVE-2017-1000073 CRITICAL POC
9.8 Jul 17

Creolabs Gravity version 1.0 is vulnerable to a heap overflow in an undisclosed component that can result in arbitrary c

CVE-2017-1000172 CRITICAL POC
9.8 Nov 17

Creolabs Gravity Version: 1.0 Use-After-Free Possible code execution. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2017-1000173 CRITICAL POC
9.8 Nov 17

Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2017-1000075 CRITICAL POC
9.8 Jul 17

Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the memcmp function. Rated critical severity (CVSS 9.8

CVE-2017-1000074 CRITICAL POC
9.8 Jul 17

Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the string_repeat() function. Rated critical severity

CVE-2017-1000072 CRITICAL POC
9.8 Jul 17

Creolabs Gravity version 1.0 is vulnerable to a Double Free in gravity_value resulting potentially leading to modificati

CVE-2021-32284 HIGH POC
7.8 Sep 20

An issue was discovered in gravity through 0.8.1. Rated high severity (CVSS 7.8), this vulnerability is no authenticatio

CVE-2021-32281 HIGH POC
7.8 Sep 20

An issue was discovered in gravity through 0.8.1. Rated high severity (CVSS 7.8), this vulnerability is no authenticatio

CVE-2018-13795 HIGH POC
7.5 Jul 09

Gravity before 0.5.1 does not support a maximum recursion depth. Rated high severity (CVSS 7.5), this vulnerability is r

CVE-2021-32285 MEDIUM POC
5.5 Sep 20

An issue was discovered in gravity through 0.8.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticat

CVE-2021-32283 MEDIUM POC
5.5 Sep 20

An issue was discovered in gravity through 0.8.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticat

CVE-2021-32282 MEDIUM POC
5.5 Sep 20

An issue was discovered in gravity through 0.8.1. Rated medium severity (CVSS 5.5), this vulnerability is no authenticat

Share

CVE-2026-40504 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy