CVE-2026-3386
Received Received - Intake
Out-of-Bounds Read in wren-lang emitOp Function

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in wren-lang wren up to 0.4.0. Affected by this vulnerability is the function emitOp of the file src/vm/wren_compiler.c. This manipulation causes out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3386
EUVD
EUVD-2026-9121
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wren wren to 0.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3386 is a vulnerability in the Wren programming language compiler, specifically in the function emitOp located in src/vm/wren_compiler.c. The issue arises because emitOp uses an opcode value as an index into a fixed-size array called stackEffects without proper bounds checking.

This improper validation causes an out-of-bounds read (CWE-125) when the opcode index is equal to or exceeds the maximum allowed opcode count, leading the function to read memory beyond the end of the stackEffects array.

The vulnerability can be triggered during compilation of certain Wren scripts that use extended opcode instructions requiring 16-bit arguments, where the opcode calculation is incorrect.

This flaw can cause crashes or undefined behavior in the compiler. The vulnerability is exploitable locally and a proof-of-concept exploit has been published.

Impact Analysis

This vulnerability can impact you by causing the Wren compiler to perform an out-of-bounds read, which may lead to crashes or undefined behavior during compilation of certain scripts.

Since the flaw is a global buffer overflow, it can affect the availability of the system running the compiler by causing it to crash.

Exploitation requires local access to the system, and an exploit is publicly available, increasing the risk of attack.

No known mitigations or patches have been provided yet, so affected users should consider replacing or avoiding the vulnerable version of Wren.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability occurs in the Wren compiler's emitOp function due to an out-of-bounds read on the stackEffects array when compiling certain extended opcode instructions."}, {'type': 'paragraph', 'content': 'Detection involves reproducing the issue using a specially crafted Wren source file that triggers the out-of-bounds read during compilation.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can build Wren with AddressSanitizer (ASan) enabled and run a test harness that loads and interprets a crafted Wren source file designed to trigger the overflow.'}, {'type': 'paragraph', 'content': 'No specific network detection commands are provided, as the attack is local and triggered during compilation.'}, {'type': 'paragraph', 'content': 'Suggested commands include building Wren with ASan and running the provided test harness with crafted input to observe ASan reports of buffer overflow.'}] [1, 2]

Mitigation Strategies

Currently, no official response or patch has been provided by the Wren project to address this vulnerability.

Immediate mitigation steps include avoiding the use of affected versions of Wren (up to 0.4.0) for compiling untrusted or potentially malicious code.

Consider replacing the affected Wren compiler with an alternative or updated version once available.

Since the exploit requires local access, restrict access to systems running the vulnerable Wren compiler to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart