CVE-2026-12216

Publication date 15 June 2026

Last updated 19 June 2026

Ubuntu priority

Cvss 3 Severity Score

Description

A weakness has been identified in svaarala duktape up to 2.99.99. This issue affects some unknown processing of the file duk_api_bytecode.c. Executing a manipulation of the argument count_instr can lead to memory corruption. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
duktape	26.04 LTS resolute	Vulnerable, fix deferred
	25.10 questing	Vulnerable, fix deferred
	24.04 LTS noble	Vulnerable, fix deferred
	22.04 LTS jammy	Vulnerable, fix deferred
	20.04 LTS focal	Vulnerable, fix deferred
	18.04 LTS bionic	Vulnerable, fix deferred

Notes

mdeslaur

as of 2026-06-16, there does not seem to be any patch available from duktape developers

Severity score breakdown

CVSS version:

Base score 1.9 · Low

Base metrics

Parameter	Value
Attack vector	Local
Attack complexity	Low
Attack requirements	None
Privileges required	Low
User interaction	None
Vulnerable system - Confidentiality impact	Low
Vulnerable system - Integrity impact	Low
Vulnerable system - Availability impact	Low
Subsequent system - Confidentiality impact	None
Subsequent system - Integrity impact	None
Subsequent system - Availability impact	None

Scores

Parameter	Value
Base score	1.9 · Low
Base + Threat score	-
Base + Environmental score	-
Base + Threat + Environmental score	-

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Base score 5.3 · Medium