CVE-2024-36760 is a stack overflow vulnerability identified in version 1.18.0 of the Rhai scripting engine, specifically within the eval_stmt_block function of the eval_stmt module. Rhai is a lightweight embedded scripting language commonly used to add scripting capabilities to applications. The vulnerability arises from uncontrolled recursive calls in the eval_stmt_block function, which leads to a stack overflow condition. This flaw is categorized under CWE-120 (Classic Buffer Overflow) and can be triggered remotely without requiring any authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is primarily on availability, as exploitation causes the application or service embedding Rhai to crash, resulting in denial of service. The CVSS score of 7.5 reflects the high severity due to ease of exploitation and potential disruption. No patches or exploits are currently publicly available, but the vulnerability is published and recognized by MITRE. The flaw affects any application using Rhai 1.18.0 that evaluates scripts using the vulnerable function, potentially impacting a wide range of software products that embed Rhai for scripting purposes.

The primary impact of CVE-2024-36760 is denial of service caused by application crashes due to stack overflow. Organizations embedding Rhai 1.18.0 in their software may experience service interruptions, leading to operational downtime and potential loss of availability for critical systems. While the vulnerability does not compromise confidentiality or integrity, the disruption of services can affect business continuity, especially in environments relying on automated scripting for workflows or embedded control systems. The ease of remote exploitation without authentication increases the risk of widespread attacks, particularly in exposed network environments. Industries such as software development, IoT device manufacturers, and any sector embedding Rhai for scripting could face significant operational challenges if exploited.

To mitigate CVE-2024-36760, organizations should prioritize upgrading Rhai to a version where this vulnerability is patched once it becomes available. In the interim, developers should audit their use of Rhai's eval_stmt_block function to identify and limit recursive script evaluations that could trigger stack overflow. Implementing input validation and recursion depth limits within scripts can reduce risk. Additionally, deploying runtime protections such as stack canaries, address space layout randomization (ASLR), and memory protection mechanisms can help mitigate exploitation impact. Network-level controls like firewall rules and intrusion detection systems should monitor and restrict unauthorized access to services exposing Rhai scripting interfaces. Finally, maintaining robust logging and monitoring can aid in early detection of exploitation attempts.