EUVD-2026-23145
GHSA-3r49-76f3-pf2m
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.
AnalysisAI
Heap buffer overflow in Creolabs Gravity scripting language before 0.9.6 enables remote code execution when applications evaluate untrusted scripts containing many string literals at global scope. The vulnerability stems from insufficient bounds checking in gravity_fiber_reassign(), allowing heap metadata corruption. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all systems running Creolabs Gravity and document current versions in use; notify relevant development and DevOps teams of critical patch requirement. Within 7 days: Deploy Gravity 0.9.6 or later (containing commit 18b9195) to all production and staging environments; prioritize systems processing external or user-supplied scripts. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today