# CVE-2026-40504

> Vulnerability · severity: **CRITICAL** (CVSS 9.8).

## Description

Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string literals at global scope. Attackers can exploit insufficient bounds checking in gravity_fiber_reassign() to corrupt heap metadata and achieve arbitrary code execution in applications that evaluate untrusted scripts.

## Key facts

- **CVE ID:** CVE-2026-40504
- **Published:** 2026-04-16
- **CVSS severity:** CRITICAL
- **CVSS base score:** 9.8
- **CWE codes:** CWE-122

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40504

## Citation

> AI Analytics. CVE-2026-40504. Retrieved 2026-07-15 from https://api.ai-analytics.org/cve/CVE-2026-40504. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*