A critical heap buffer overflow in the Creolabs Gravity VM allows attackers to achieve arbitrary code execution through crafted scripts.

Insufficient bounds checking in the 'gravity_fiber_reassign()' function and the 'gravity_vm_exec' function leads to heap memory corruption. Attackers can exploit this by providing crafted scripts to execute arbitrary code on the host system.

The CVSS score of 9.8 signifies a severe risk. If an application uses the Gravity engine to process untrusted scripts, an attacker could achieve complete system compromise, bypassing existing security boundaries.

Immediate Action: Upgrade to Creolabs Gravity version 0.9.6 or later.

Proactive Monitoring: Monitor applications utilizing the Gravity engine for anomalous crashes or unexpected script processing behavior.

Compensating Controls: If upgrading is not possible, implement strict sandboxing or restrict the types of scripts allowed for execution by the VM.

Public Exploit Available: Unknown

Memory corruption vulnerabilities in execution engines are high-priority. Organizations should update their dependencies to version 0.9.6 immediately to eliminate the risk of arbitrary code execution.