CVE-2026-2656
Use-After-Free in ChaiScript Type_Info::bare_equal Function
Publication date: 2026-02-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chaiscript | chaiscript | to 6.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2656 is a heap-use-after-free (UAF) vulnerability in the ChaiScript scripting engine, specifically in the function chaiscript::Type_Info::bare_equal located in include/chaiscript/dispatchkit/type_info.hpp.
The vulnerability arises from a race condition between the main thread and a worker thread during exception handling and engine destruction. The main thread destroys the Dispatch_Engine instance and frees memory associated with internal type maps, while concurrently, a worker thread throws an asynchronous exception and attempts to format the error message. During this formatting, the worker thread accesses type nodes that have already been freed by the main thread, causing a use-after-free condition.
This unsynchronized destruction and exception handling in multi-threaded ChaiScript usage can lead to crashes or undefined behavior.
How can this vulnerability impact me? :
This vulnerability can cause a use-after-free memory access, which may lead to program crashes or undefined behavior when running multi-threaded applications using ChaiScript.
Because the worker thread accesses memory that has already been freed by the main thread, it can cause instability or crashes in the software, potentially affecting the availability of the application.
Exploitation requires local access and is considered difficult due to the high attack complexity, but a proof-of-concept exploit is publicly available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a heap-use-after-free issue triggered by a race condition in multi-threaded usage of ChaiScript, specifically during asynchronous exception handling and engine destruction.'}, {'type': 'paragraph', 'content': 'Detection involves reproducing the issue by running asynchronous tasks that throw exceptions during evaluation, and monitoring for heap-use-after-free errors using AddressSanitizer (ASan).'}, {'type': 'paragraph', 'content': 'Suggested detection steps include:'}, {'type': 'list_item', 'content': 'Build ChaiScript with Release optimizations and AddressSanitizer enabled.'}, {'type': 'list_item', 'content': "Run a script that launches asynchronous functions containing a faulty loop condition (e.g., a loop with '!+i' causing 'chaiscript::exception::eval_error')."}, {'type': 'list_item', 'content': "Observe the program output or logs for AddressSanitizer reports indicating heap-use-after-free errors in 'Type_Info::bare_equal'."}, {'type': 'paragraph', 'content': 'No specific network commands are applicable since the attack requires local access and is triggered by local asynchronous script execution.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known patches or official mitigations available for this vulnerability as the ChaiScript project has not responded to the issue report.
Immediate mitigation steps include:
- Avoid running untrusted or asynchronous scripts that may trigger exceptions during engine destruction.
- Limit local access to systems running vulnerable versions of ChaiScript to reduce risk.
- Consider disabling or restricting multi-threaded asynchronous exception handling in ChaiScript usage if possible.
- As a longer-term measure, consider replacing ChaiScript with an alternative scripting engine that does not have this vulnerability.