CVE-2026-2660
Use-After-Free in FascinatedBox Lily shorthash_for_name Function
Publication date: 2026-02-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lily-lang | lily | to 2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a local use-after-free issue in the FascinatedBox lily interpreter, specifically in the function shorthash_for_name. Detection involves running the Lily interpreter with AddressSanitizer (ASan) enabled and using a crafted input file (such as repro.lily) to trigger the bug.
To detect the vulnerability, you can build Lily with Release optimization and ASan enabled, then execute it with a specially crafted input that causes the heap-use-after-free error. ASan will report invalid memory accesses related to this vulnerability.
Suggested commands include:
- Clone the Lily repository and build with ASan enabled (example using Clang):
- clang -fsanitize=address -O2 -o lily src/lily/*.c
- Run the interpreter with the crafted input file (e.g., repro.lily):
- ./lily repro.lily
If the vulnerability is present, ASan will output an error indicating a heap-use-after-free in shorthash_for_name.
Can you explain this vulnerability to me?
CVE-2026-2660 is a use-after-free vulnerability in the FascinatedBox lily interpreter, affecting versions up to 2.3. The issue occurs in the function shorthash_for_name within the source file src/lily_symtab.c. During parsing, the lexerβs source buffer is dynamically resized using realloc in the grow_source_buffer function. If realloc moves the buffer to a new memory location, the old buffer is freed, but the parser retains pointers to the old buffer. When shorthash_for_name accesses these dangling pointers, it causes a heap-use-after-free error. This can lead to program crashes or unexpected behavior. Exploitation requires local access, and a proof-of-concept exploit is publicly available.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the affected software to crash or behave unexpectedly due to invalid memory access. Since it is a use-after-free issue, it may also potentially be exploited to execute arbitrary code, although the primary impact is on availability. The vulnerability requires local access to exploit and is considered easy to exploit. There are no known mitigations currently, and the project maintainers have not responded to the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
Currently, there are no known patches or fixes provided by the project maintainers for this vulnerability.
Immediate mitigation steps include:
- Avoid running untrusted or malicious input through the FascinatedBox lily interpreter, especially versions up to 2.3.
- Restrict local access to systems running the vulnerable version to trusted users only, since local access is required to exploit this issue.
- Consider using alternative products or interpreters that do not have this vulnerability.
Monitoring for updates or patches from the project is recommended, but as of now, no response or fix has been provided.