Executive Summary

CVE-2026-3384 is a security vulnerability in the ChaiScript scripting engine up to version 6.1.0. It arises from uncontrolled recursion caused by a user-defined operator that recursively calls itself within a string interpolation expression. This leads to infinite recursion, causing a stack overflow and ultimately crashing the host process.

The root cause is a user-defined operator for strings that invokes itself inside its own definition, triggering repeated nested evaluations without termination. The evaluation functions involved are chaiscript::eval::AST_Node_Impl::eval and chaiscript::eval::Function_Push_Pop, located in the file include/chaiscript/language/chaiscript_eval.hpp.

Because ChaiScript lacks recursion depth checks or stack exhaustion guards, this crafted operator causes denial of service by crashing the application through stack exhaustion.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition. When exploited, it triggers uncontrolled recursion leading to a stack overflow, which crashes the host process running ChaiScript.

The attack requires local access and low complexity to execute, meaning an attacker with limited privileges on the system can cause the application to become unavailable.

The impact primarily affects the availability of the application or system using ChaiScript, potentially disrupting services or workflows dependent on it.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by running a script that defines the recursive user-defined operator and observing if it causes a stack overflow or process crash due to uncontrolled recursion.'}, {'type': 'paragraph', 'content': 'A proof-of-concept involves defining the operator `/=` for strings that recursively calls itself inside a string interpolation expression, triggering infinite recursion.'}, {'type': 'paragraph', 'content': 'For example, running the following ChaiScript code can reproduce the issue:'}, {'type': 'list_item', 'content': 'def string::`/=`(double d) { this = "${this/= 2}/=${d}"; return this; }'}, {'type': 'list_item', 'content': 'var s = "o World"'}, {'type': 'list_item', 'content': 's /= 2'}, {'type': 'paragraph', 'content': 'Executing this script with the ChaiScript interpreter (e.g., `./chai crash.chai`) on a Linux x86_64 system compiled with Clang in Release mode with AddressSanitizer enabled will cause a stack overflow and crash, confirming the presence of the vulnerability.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

As of now, no official patch or fix has been provided by the ChaiScript maintainers.

Immediate mitigation steps include:

• Avoid running untrusted or user-supplied scripts that define or use recursive user-defined operators, especially those involving string interpolation.
• Restrict local access to systems running vulnerable versions of ChaiScript to prevent exploitation.
• Consider replacing or upgrading the affected component if a fixed version becomes available.
• Monitor for updates from the ChaiScript project or security advisories for any patches or workarounds.

Useful 0 Not Useful 0