CVE-2026-3385
Uncontrolled Recursion in wren-lang resolveLocal Function
Publication date: 2026-03-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wren | wren | to 0.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3385 is a vulnerability in the Wren programming language compiler, specifically in the function resolveLocal within src/vm/wren_compiler.c. It arises due to uncontrolled recursion when parsing deeply nested code structures such as loops or blocks.
This deep recursion causes the compiler to exceed normal stack depth (over 300 recursive frames), which leads to an invalid calculation of local variable indices. As a result, the function resolveLocal performs an out-of-bounds memory read before the allocated heap buffer, causing a heap-buffer underflow and memory corruption.
The vulnerability can be triggered locally by feeding the compiler a maliciously crafted Wren source file with excessive nesting, leading to crashes and potential memory corruption during compilation.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption and potential arbitrary code execution during the compilation of maliciously crafted deeply nested Wren source code.
Additionally, it can cause denial of service by exhausting stack and memory resources due to uncontrolled recursion, resulting in crashes or unavailability of the compiler.
Exploitation requires local access to the system where the Wren compiler is running, and no remote exploitation is possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the Wren compiler with AddressSanitizer (ASan) enabled and using a specially crafted Wren source file containing deeply nested code structures to trigger the uncontrolled recursion and heap-buffer underflow.
A proof-of-concept test harness is available which reads a Wren source file and interprets it using the Wren VM. Running this harness with a crafted input file that contains deeply nested loops or blocks will trigger the crash and reveal the vulnerability.
Detection involves observing ASan reports indicating heap-buffer-overflow or underflow errors during compilation, specifically triggered by the function `resolveLocal` in `src/vm/wren_compiler.c`.
- Build Wren with Clang using AddressSanitizer enabled (e.g., compile with `-fsanitize=address`).
- Run the provided test harness with a deeply nested Wren source file to trigger the vulnerability.
- Monitor ASan output for heap-buffer-overflow or underflow errors related to `resolveLocal`.
What immediate steps should I take to mitigate this vulnerability?
Currently, no official patches or countermeasures have been provided by the Wren project to address this vulnerability.
Immediate mitigation steps include avoiding the use of deeply nested code structures in Wren source files to prevent triggering the uncontrolled recursion.
Consider restricting local access to systems running the vulnerable Wren compiler to reduce the risk of exploitation, as the attack requires local access.
If possible, consider using alternative products or language versions that are not affected by this vulnerability until an official fix is released.