CVE-2026-12216 | A weakness has been identified in svaarala duktape up to 2.9… | CVSS 5.3 MEDIUM

Description

A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

CVE ID: CVE-2026-12216
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-14 13:43 UTC
Published: 2026-06-15 03:45 UTC
Last updated: 2026-06-15 13:19 UTC
Primary CWE: CWE-119
Memory Corruption
Vendor / Product: svaarala / duktape
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
svaarala	duktape	—	2.99.0, 2.99.1, 2.99.2, 2.99.3 …

Weakness (CWE)

CWE	Source	Description
CWE-119	cna	Memory Corruption

CVSS scores (4)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.3	MEDIUM	3.0	cna	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
4.8	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
4.3	N/D	2.0	cna	AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

References (5)

VDB-370859 | svaarala duktape duk_api_bytecode.c memory corruption https://vuldb.com/vuln/370859
VDB-370859 | CTI Indicators (IOB, IOC, IOA) https://vuldb.com/vuln/370859/cti
CVE-2026-12216 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-12216
Submit #833814 | Duktape https://github.com/svaarala/duktape <=2.99.99 Memory Corruption https://vuldb.com/submit/833814
https://github.com/hmKunlun/compileOOB/blob/main/api_bytecode.md