CVE-2026-3386
Out-of-Bounds Read in wren-lang emitOp Function
Publication date: 2026-03-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wren | wren | to 0.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3386 is a vulnerability in the Wren programming language compiler, specifically in the function emitOp located in src/vm/wren_compiler.c. The issue arises because emitOp uses an opcode value as an index into a fixed-size array called stackEffects without proper bounds checking.
This improper validation causes an out-of-bounds read (CWE-125) when the opcode index is equal to or exceeds the maximum allowed opcode count, leading the function to read memory beyond the end of the stackEffects array.
The vulnerability can be triggered during compilation of certain Wren scripts that use extended opcode instructions requiring 16-bit arguments, where the opcode calculation is incorrect.
This flaw can cause crashes or undefined behavior in the compiler. The vulnerability is exploitable locally and a proof-of-concept exploit has been published.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the Wren compiler to perform an out-of-bounds read, which may lead to crashes or undefined behavior during compilation of certain scripts.
Since the flaw is a global buffer overflow, it can affect the availability of the system running the compiler by causing it to crash.
Exploitation requires local access to the system, and an exploit is publicly available, increasing the risk of attack.
No known mitigations or patches have been provided yet, so affected users should consider replacing or avoiding the vulnerable version of Wren.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability occurs in the Wren compiler's emitOp function due to an out-of-bounds read on the stackEffects array when compiling certain extended opcode instructions."}, {'type': 'paragraph', 'content': 'Detection involves reproducing the issue using a specially crafted Wren source file that triggers the out-of-bounds read during compilation.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can build Wren with AddressSanitizer (ASan) enabled and run a test harness that loads and interprets a crafted Wren source file designed to trigger the overflow.'}, {'type': 'paragraph', 'content': 'No specific network detection commands are provided, as the attack is local and triggered during compilation.'}, {'type': 'paragraph', 'content': 'Suggested commands include building Wren with ASan and running the provided test harness with crafted input to observe ASan reports of buffer overflow.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Currently, no official response or patch has been provided by the Wren project to address this vulnerability.
Immediate mitigation steps include avoiding the use of affected versions of Wren (up to 0.4.0) for compiling untrusted or potentially malicious code.
Consider replacing the affected Wren compiler with an alternative or updated version once available.
Since the exploit requires local access, restrict access to systems running the vulnerable Wren compiler to trusted users only.