VYPR
← All advisories
Medium severity5.3NVD Advisory· Published Jun 15, 2026

CVE-2026-12216

CVE-2026-12216

Description

A memory corruption vulnerability in Duktape's bytecode loader allows local attackers to read heap memory via crafted bytecode with an inflated instruction count.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A memory corruption vulnerability in Duktape's bytecode loader allows local attackers to read heap memory via crafted bytecode with an inflated instruction count.

Vulnerability

In Duktape up to version 2.99.99, the bytecode loader in duk_api_bytecode.c uses the DUK_ASSERT macro for bounds checking on the count_instr field. In Release builds, DUK_ASSERT is a no-op, so the bounds check is removed. By providing a bytecode buffer with an inflated count_instr value and a truncated buffer that ends at the instruction data boundary, the loader reads 4 bytes past the heap allocation, leading to memory corruption [1].

Exploitation

The attacker requires local access to the system running Duktape. The exploit involves crafting a bytecode buffer where the count_instr field is increased by one, and the buffer is truncated so that only the header and the original instruction data are present. When duk_load_function is called, the loader reads 4 extra bytes beyond the allocated buffer, which are then interpreted as bytecode instructions. The provided proof-of-concept code demonstrates this by modifying a dumped function's bytecode and loading it [1].

Impact

Successful exploitation results in an out-of-bounds read of 4 bytes from heap memory. This can lead to memory corruption, potentially causing a crash or information disclosure. The attacker may be able to read sensitive data from adjacent heap memory. The vulnerability is classified as medium severity (CVSS 5.3) due to the requirement of local access and the limited scope of the read.

Mitigation

As of the publication date, no official fix has been released by the vendor (svaarala), who did not respond to the disclosure. Users are advised to avoid loading untrusted bytecode in Release builds, or to use Debug builds where DUK_ASSERT is active. Alternatively, apply a patch that replaces DUK_ASSERT with a proper runtime bounds check. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. compileOOB/api_bytecode.md at main · hmKunlun/compileOOB

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing runtime bounds check in the Duktape bytecode loader; the only check relies on `DUK_ASSERT`, which is compiled away in Release builds."

Attack vector

An attacker with the ability to supply a crafted Duktape bytecode blob can inflate the `count_instr` field in the bytecode header while truncating the buffer so it contains fewer instruction bytes than the header claims. Because the release build has no runtime bounds check (the assertion is dead code), the loader reads four bytes past the end of the allocation and interprets them as bytecode instructions. This out-of-bounds read can lead to memory corruption. The attack requires local access and low privileges (AV:L/PR:L). [ref_id=1]

Affected code

The Duktape bytecode loader in `duk_api_bytecode.c` uses `DUK_ASSERT` for bounds checking. In Release builds that macro is a no-op, so the check is removed entirely. [ref_id=1] The patch does not show any other functions at fault.

What the fix does

No patch has been provided by the vendor. The advisory recommends that Duktape replace `DUK_ASSERT`-only bounds checks with a hard runtime guard (e.g., an `if` statement that returns an error) so that the check is present in both debug and release builds. [ref_id=1] Without such a change, a release build will continue to read heap memory beyond the supplied bytecode buffer when `count_instr` exceeds the available data.

Preconditions

  • configThe target application must be compiled as a Release build of Duktape (i.e., DUK_ASSERT defined as a no-op).
  • inputThe attacker must be able to supply a Duktape bytecode blob with a crafted count_instr field and a truncated buffer.
  • authThe attacker must have local access and privileges to run a program that loads the crafted bytecode into Duktape.

Reproduction

The researcher published a complete PoC. Compile the provided `d1_mini_poc.c` against a Release build of Duktape, run the binary, and observe the "OOB CONFIRMED" output and the injected 0xDEADBEEF sentinel being read. [ref_id=1]

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.