External risk intelligence

Creolabs Gravity allows attackers to take control of your systems by crafting scripts.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-40504

An external attacker can exploit a security flaw in Creolabs Gravity by submitting malicious scripts to the application, allowing them to gain full control over the host system. This creates a significant risk of unauthorized access to business data and complete compromise of the underlying infrastructure.

3Halo Surface Signal

Buffer Overflow

External exposure likelihood

Halo Surface Signal score for CVE-2026-40504

Creolabs Gravity is an embedded scripting engine used within host applications, not a standalone network service. Its reachability is entirely dependent on the specific implementation of the parent application. While it can be exposed if an application allows external users to supply scripts, it is not inherently a public-facing service, gateway, or appliance by default.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A heap buffer overflow vulnerability in Creolabs Gravity allows for arbitrary code execution by manipulating scripts with numerous string literals. This issue arises from insufficient bounds checking within the gravity_fiber_reassign function, which can lead to corrupted heap metadata. Teams should pay attention because applications that evaluate untrusted scripts are at risk.

  • Allows arbitrary code execution.
  • Affects applications using the scripting engine.
  • Exploitable via crafted scripts.

Attack Path

How an attacker could exploit the issue

An attacker can achieve arbitrary code execution by crafting malicious scripts with numerous string literals that trigger a heap buffer overflow in the `gravity_vm_exec` function. This vulnerability allows out-of-bounds memory writes by exploiting insufficient bounds checking during script execution, ultimately corrupting heap metadata.

  • Target untrusted script execution.
  • Crafted scripts exploit memory corruption.
  • Requires application vulnerability execution.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this heap buffer overflow in Creolabs Gravity appealing due to the potential for arbitrary code execution when processing untrusted scripts. The vulnerability exists in a core function for script execution, suggesting it could be a target if such scripts are user-supplied. However, its impact is contingent on the host application's design and how it integrates Gravity.

  • Exploitation requires untrusted script execution.
  • No public exploit code is available.
  • Vendor released a fix in version 0.9.6.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and isolating any applications that evaluate untrusted scripts using Creolabs Gravity versions prior to 0.9.6, due to the risk of arbitrary code execution from a heap buffer overflow. Teams should focus on confirming the presence of vulnerable Gravity components and immediately blocking or segmenting any services where external script evaluation is possible.

  • Block or isolate affected services.
  • Monitor for suspicious script execution.
  • Update to Gravity 0.9.6 or later.

Frequently asked questions

What is the nature of the vulnerability in Creolabs Gravity?

Creolabs Gravity versions prior to 0.9.6 contain a heap buffer overflow vulnerability in the gravity_vm_exec function. This allows attackers to write out-of-bounds memory by crafting scripts with many string literals at the global scope. This can lead to arbitrary code execution in applications that evaluate untrusted scripts.

How does the heap buffer overflow in Creolabs Gravity occur, and what is the weakness class?

The vulnerability, classified as CWE-122 (Heap-based Buffer Overflow), occurs due to insufficient bounds checking in the gravity_fiber_reassign() function. Attackers can exploit this to corrupt heap metadata, enabling arbitrary code execution when applications evaluate untrusted, crafted scripts.

What is the trigger path for this vulnerability, and is scope negation relevant?

The trigger path involves crafting malicious scripts with numerous string literals at the global scope. Exploitation of insufficient bounds checking in gravity_fiber_reassign() leads to out-of-bounds memory writes. Scope negation is not explicitly mentioned as a factor or a mitigation in the provided context.

How relevant is the Halo Surface Signal advisory for this CVE?

The Halo Surface Signal advisory indicates a 'Possible' relevance for this CVE, with a score of 3. It notes that Creolabs Gravity is an embedded scripting engine within host applications, not a standalone network service. Its exposure depends entirely on the parent application's implementation, making it not inherently a public-facing service.

What practical steps should be taken to respond to this vulnerability?

Teams should identify and isolate applications using Creolabs Gravity versions before 0.9.6, especially those evaluating untrusted scripts. Prioritize confirming vulnerable Gravity components and blocking or segmenting services where external script evaluation is possible. Updating to Gravity version 0.9.6 or later is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified