CVE-2026-3385
Received Received - Intake
Uncontrolled Recursion in wren-lang resolveLocal Function

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3385
EUVD
EUVD-2026-9120
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wren wren to 0.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3385 is a vulnerability in the Wren programming language compiler, specifically in the function resolveLocal within src/vm/wren_compiler.c. It arises due to uncontrolled recursion when parsing deeply nested code structures such as loops or blocks.

This deep recursion causes the compiler to exceed normal stack depth (over 300 recursive frames), which leads to an invalid calculation of local variable indices. As a result, the function resolveLocal performs an out-of-bounds memory read before the allocated heap buffer, causing a heap-buffer underflow and memory corruption.

The vulnerability can be triggered locally by feeding the compiler a maliciously crafted Wren source file with excessive nesting, leading to crashes and potential memory corruption during compilation.

Impact Analysis

This vulnerability can lead to memory corruption and potential arbitrary code execution during the compilation of maliciously crafted deeply nested Wren source code.

Additionally, it can cause denial of service by exhausting stack and memory resources due to uncontrolled recursion, resulting in crashes or unavailability of the compiler.

Exploitation requires local access to the system where the Wren compiler is running, and no remote exploitation is possible.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by running the Wren compiler with AddressSanitizer (ASan) enabled and using a specially crafted Wren source file containing deeply nested code structures to trigger the uncontrolled recursion and heap-buffer underflow.

A proof-of-concept test harness is available which reads a Wren source file and interprets it using the Wren VM. Running this harness with a crafted input file that contains deeply nested loops or blocks will trigger the crash and reveal the vulnerability.

Detection involves observing ASan reports indicating heap-buffer-overflow or underflow errors during compilation, specifically triggered by the function `resolveLocal` in `src/vm/wren_compiler.c`.

  • Build Wren with Clang using AddressSanitizer enabled (e.g., compile with `-fsanitize=address`).
  • Run the provided test harness with a deeply nested Wren source file to trigger the vulnerability.
  • Monitor ASan output for heap-buffer-overflow or underflow errors related to `resolveLocal`.
Mitigation Strategies

Currently, no official patches or countermeasures have been provided by the Wren project to address this vulnerability.

Immediate mitigation steps include avoiding the use of deeply nested code structures in Wren source files to prevent triggering the uncontrolled recursion.

Consider restricting local access to systems running the vulnerable Wren compiler to reduce the risk of exploitation, as the attack requires local access.

If possible, consider using alternative products or language versions that are not affected by this vulnerability until an official fix is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3385. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart