CVE-2026-2662
Out-of-Bounds Read in FascinatedBox lily count_transforms Function
Publication date: 2026-02-18
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lily-lang | lily | to 2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2662 is a heap-buffer-overflow vulnerability in the Lily interpreter, specifically in the function count_transforms within the file src/lily_emitter.c. This function reads a 2-byte value from a buffer that is only 16 bytes in size, but the read occurs 68 bytes beyond the allocated heap region, causing an out-of-bounds read.
The issue happens during closure transformation handled by perform_closure_transform, where the buffer is undersized for the number of transforms processed. This improper bounds checking leads to reading memory outside the allocated buffer, which can cause program crashes or undefined behavior.
The vulnerability can only be exploited locally and the exploit has been made public.
How can this vulnerability impact me? :
This vulnerability can cause out-of-bounds reads in the Lily interpreter, potentially leading to program crashes or undefined behavior.
Since the attack can only be executed locally, an attacker would need local access to exploit this vulnerability.
The impact is limited as the CVSS scores are low (BaseScore 1.7 to 3.3), indicating low severity with no confidentiality or integrity impact, but some availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a heap-buffer-overflow occurring locally in the FascinatedBox lily interpreter during the execution of the function count_transforms in src/lily_emitter.c.
Detection can be performed by running the Lily interpreter with AddressSanitizer (ASAN) enabled, which can catch out-of-bounds reads during execution.
A specific test file named repro.lily is available to reproduce the crash when Lily is built with Release optimization and ASAN enabled.
- Build Lily with ASAN enabled (e.g., using compiler flags like -fsanitize=address).
- Run the repro.lily test file to trigger the vulnerability and observe ASAN reports for out-of-bounds reads.
- Monitor logs or crash reports for heap-buffer-overflow or out-of-bounds read errors related to count_transforms or lily_emitter.c.
What immediate steps should I take to mitigate this vulnerability?
Currently, there is no official patch or response from the project to fix this vulnerability.
Since the exploit requires local access and affects availability, immediate mitigation steps include restricting local access to the affected software.
Consider replacing the affected version of FascinatedBox lily (up to 2.3) with an alternative product or a version that is not vulnerable, if available.
Monitor for updates or patches from the project and apply them as soon as they become available.