| Title | Duktape https://github.com/svaarala/duktape <=2.99.99 Memory Corruption |
|---|
| Description | Duktape's bytecode loader (`duk_api_bytecode.c`) uses the `DUK_ASSERT` macro for bounds checking. In Release builds, `DUK_ASSERT` is defined as a no-op, so the bounds check is completely removed. By crafting bytecode with an inflated `count_instr` field and a truncated buffer ending at the instruction data boundary, the loader reads 4 bytes past the heap allocation, which are then interpreted as bytecode instructions. |
|---|
| Source | ⚠️ https://github.com/hmKunlun/compileOOB/blob/main/api_bytecode.md |
|---|
| User | kunlun (UID 95866) |
|---|
| Submission | 05/20/2026 06:20 (2 months ago) |
|---|
| Moderation | 06/14/2026 15:43 (25 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370859 [svaarala duktape up to 2.99.99 duk_api_bytecode.c count_instr memory corruption] |
|---|
| Points | 20 |
|---|