Description
A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the handling of the argument count_instr within duk_api_bytecode.c. By manipulating this value an attacker can corrupt memory. The resulting corruption can cause crashes or potentially allow execution of arbitrary code, thereby compromising the confidentiality, integrity and availability of the affected process. The specified impact is realistic only when the attacker can successfully provide crafted input while the vulnerable code is executing.

Affected Systems

All installations of the svaarala duktape engine up to version 2.99.99 are impacted. No finer version information is available in the advisory, and the vendor has yet to issue a fix. The advisory specifies svaarala duktape as the affected product and references the official CPE for this product, but the raw CPE string is omitted from the narrative.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate level of risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires local access, meaning it is relevant only to users who already have some level of access to the target machine. Because a public exploit is available, a local attacker can readily use the vulnerability to destabilize the system or possibly take full control of the process. The overall risk profile is moderate, but the lack of a patch elevates the significance of mitigations based on access control and monitoring.

Generated by OpenCVE AI on June 15, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor‑issued patch or newer release of duktape as soon as it becomes available
  • Limit local access to the process that utilizes duktape by running it under a non‑privileged user and restricting file permissions on any input files
  • Enable logging or monitoring of crashes and anomalous behavior caused by duktape to detect exploitation attempts

Generated by OpenCVE AI on June 15, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title svaarala duktape duk_api_bytecode.c memory corruption
First Time appeared Svaarala
Svaarala duktape
Weaknesses CWE-119
CPEs cpe:2.3:a:svaarala:duktape:*:*:*:*:*:*:*:*
Vendors & Products Svaarala
Svaarala duktape
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Svaarala Duktape
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T03:45:07.142Z

Reserved: 2026-06-14T13:43:24.569Z

Link: CVE-2026-12216

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T04:16:26.140

Modified: 2026-06-15T04:16:26.140

Link: CVE-2026-12216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T06:00:18Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer