CVE-2026-2660
Received Received - Intake
Use-After-Free in FascinatedBox Lily shorthash_for_name Function

Publication date: 2026-02-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. The manipulation leads to use after free. Local access is required to approach this attack. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2660
EUVD
EUVD-2026-7642
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lily-lang lily to 2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2660 is a use-after-free vulnerability in the FascinatedBox lily interpreter, affecting versions up to 2.3. The issue occurs in the function shorthash_for_name within the source file src/lily_symtab.c. During parsing, the lexer’s source buffer is dynamically resized using realloc in the grow_source_buffer function. If realloc moves the buffer to a new memory location, the old buffer is freed, but the parser retains pointers to the old buffer. When shorthash_for_name accesses these dangling pointers, it causes a heap-use-after-free error. This can lead to program crashes or unexpected behavior. Exploitation requires local access, and a proof-of-concept exploit is publicly available.

Impact Analysis

This vulnerability can impact you by causing the affected software to crash or behave unexpectedly due to invalid memory access. Since it is a use-after-free issue, it may also potentially be exploited to execute arbitrary code, although the primary impact is on availability. The vulnerability requires local access to exploit and is considered easy to exploit. There are no known mitigations currently, and the project maintainers have not responded to the issue.

Compliance Impact

I don't know

Mitigation Strategies

Currently, there are no known patches or fixes provided by the project maintainers for this vulnerability.

Immediate mitigation steps include:

  • Avoid running untrusted or malicious input through the FascinatedBox lily interpreter, especially versions up to 2.3.
  • Restrict local access to systems running the vulnerable version to trusted users only, since local access is required to exploit this issue.
  • Consider using alternative products or interpreters that do not have this vulnerability.

Monitoring for updates or patches from the project is recommended, but as of now, no response or fix has been provided.

Detection Guidance

This vulnerability is a local use-after-free issue in the FascinatedBox lily interpreter, specifically in the function shorthash_for_name. Detection involves running the Lily interpreter with AddressSanitizer (ASan) enabled and using a crafted input file (such as repro.lily) to trigger the bug.

To detect the vulnerability, you can build Lily with Release optimization and ASan enabled, then execute it with a specially crafted input that causes the heap-use-after-free error. ASan will report invalid memory accesses related to this vulnerability.

Suggested commands include:

  • Clone the Lily repository and build with ASan enabled (example using Clang):
  • clang -fsanitize=address -O2 -o lily src/lily/*.c
  • Run the interpreter with the crafted input file (e.g., repro.lily):
  • ./lily repro.lily

If the vulnerability is present, ASan will output an error indicating a heap-use-after-free in shorthash_for_name.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart