CVE-2026-40504 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 17, 2026
Creolabs Gravity - Remote Code Execution
Overview
Creolabs Gravity < 0.9.6 contains a buffer overflow caused by insufficient bounds checking in gravity_vm_exec and gravity_fiber_reassign functions, letting attackers execute arbitrary code by crafting scripts with many global string literals, exploit requires evaluating untrusted scripts.
Severity & Score
Impact
Attackers can execute arbitrary code by exploiting heap buffer overflow in script evaluation, potentially compromising the application.
Mitigation
Upgrade to version 0.9.6 or later.
References
Social Media Activity(2 posts)
šØ CVE-2026-40504: Critical heap-based buffer overflow in Creolabs Gravity (<0.9.6). Attackers could achieve RCE via malicious scripts. No patch yet ā avoid untrusted input & monitor for updates. https://radar.offseq.com/threat/cve-2026-40504-cwe-122-heap-based-buffer-overflow--7b35deb9 #OffSeq #CVE202640504 #infosec
View original post
š“ CVE-2026-40504 - Critical (9.8) Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit in... š https://www.thehackerwire.com/vulnerability/CVE-2026-40504/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40504
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- buffer_overflow
- Status
- unconfirmed
- EPSS
- 7.3%
- Social Posts
- 2
CWE
- CWE-122
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H