CVE-2026-2657
Awaiting Analysis Awaiting Analysis - Queue
Stack-Based Buffer Overflow in wren-lang Error Message Handler

Publication date: 2026-02-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in wren-lang wren up to 0.4.0. This impacts the function printError of the file src/vm/wren_compiler.c of the component Error Message Handler. Such manipulation leads to stack-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2657
EUVD
EUVD-2026-7645
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wren wren to 0.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2657 is a stack-based buffer overflow vulnerability in the Wren programming language compiler, specifically in the function printError located in src/vm/wren_compiler.c.

The vulnerability occurs because printError uses the unsafe C function vsprintf to format error messages into a fixed-size local stack buffer (about 159 bytes) without checking if the formatted string fits within this buffer.

When an error is triggered during class or method compilation, such as by declareMethod with a long format string or an excessively long method name, vsprintf writes beyond the buffer boundary, corrupting the stack and causing a crash or undefined behavior.

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow) and requires local access to exploit.

Impact Analysis

This vulnerability can lead to stack corruption and program crashes when the Wren compiler encounters certain error conditions during compilation.

Because it is a stack-based buffer overflow, it may cause undefined behavior, potentially impacting system stability and availability.

Exploitation requires local access, and a public proof-of-concept exploit is available, making it easier for attackers with local privileges to trigger the vulnerability.

No patches or mitigations have been provided by the maintainers as of the advisory date, so affected users should consider replacing the software or applying other protective measures.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a stack-based buffer overflow occurring locally in the Wren programming language compiler during error message formatting in the printError function. Detection involves reproducing the overflow condition by triggering compilation errors with long format strings or excessively long method names.

To detect the vulnerability, you can build Wren and a test harness with AddressSanitizer (ASan) enabled, then run the harness with a specially crafted input file that triggers the overflow. The ASan report will confirm the overflow by showing stack corruption at the buffer boundary.

Suggested approach includes compiling Wren with Clang and ASan enabled and running a test harness that interprets Wren source files designed to trigger the overflow during method declaration or class definition compilation.

There are no specific network commands since the attack is local, but to reproduce and detect the issue, you can use the provided test harness and crafted input files from the public exploit repositories.

Mitigation Strategies

As of the advisory date, no patches or official mitigations have been provided by the Wren project maintainers.

Immediate mitigation steps include avoiding local use of vulnerable versions of Wren (up to 0.4.0) and restricting local access to trusted users only, since exploitation requires local access.

Consider replacing the affected Wren version with an alternative product or language until a fix is released.

Monitor the official Wren repository and issue trackers for any updates or patches addressing this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2657. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart