CVE-2026-2662
Received Received - Intake
Out-of-Bounds Read in FascinatedBox lily count_transforms Function

Publication date: 2026-02-18

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in FascinatedBox lily up to 2.3. This vulnerability affects the function count_transforms of the file src/lily_emitter.c. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2662
EUVD
EUVD-2026-7640
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lily-lang lily to 2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2662 is a heap-buffer-overflow vulnerability in the Lily interpreter, specifically in the function count_transforms within the file src/lily_emitter.c. This function reads a 2-byte value from a buffer that is only 16 bytes in size, but the read occurs 68 bytes beyond the allocated heap region, causing an out-of-bounds read.

The issue happens during closure transformation handled by perform_closure_transform, where the buffer is undersized for the number of transforms processed. This improper bounds checking leads to reading memory outside the allocated buffer, which can cause program crashes or undefined behavior.

The vulnerability can only be exploited locally and the exploit has been made public.

Impact Analysis

This vulnerability can cause out-of-bounds reads in the Lily interpreter, potentially leading to program crashes or undefined behavior.

Since the attack can only be executed locally, an attacker would need local access to exploit this vulnerability.

The impact is limited as the CVSS scores are low (BaseScore 1.7 to 3.3), indicating low severity with no confidentiality or integrity impact, but some availability impact.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a heap-buffer-overflow occurring locally in the FascinatedBox lily interpreter during the execution of the function count_transforms in src/lily_emitter.c.

Detection can be performed by running the Lily interpreter with AddressSanitizer (ASAN) enabled, which can catch out-of-bounds reads during execution.

A specific test file named repro.lily is available to reproduce the crash when Lily is built with Release optimization and ASAN enabled.

  • Build Lily with ASAN enabled (e.g., using compiler flags like -fsanitize=address).
  • Run the repro.lily test file to trigger the vulnerability and observe ASAN reports for out-of-bounds reads.
  • Monitor logs or crash reports for heap-buffer-overflow or out-of-bounds read errors related to count_transforms or lily_emitter.c.
Mitigation Strategies

Currently, there is no official patch or response from the project to fix this vulnerability.

Since the exploit requires local access and affects availability, immediate mitigation steps include restricting local access to the affected software.

Consider replacing the affected version of FascinatedBox lily (up to 2.3) with an alternative product or a version that is not vulnerable, if available.

Monitor for updates or patches from the project and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2662. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart