Executive Summary

CVE-2026-3390 is a heap-buffer underflow vulnerability in the Lily interpreter, specifically in the function patch_line_end within the file src/lily_build_error.c. This function is part of the error reporting subsystem and is responsible for trimming trailing characters like newlines from a string buffer.

The vulnerability occurs because patch_line_end attempts to read one byte before the start of the allocated heap buffer without properly checking boundary conditions. This unchecked access leads to an out-of-bounds read (CWE-125), causing a read violation and potentially crashing the program when an error occurs on an empty line or at the very beginning of the buffer.

The issue can only be exploited locally and has a publicly available proof-of-concept exploit. It was discovered using AddressSanitizer (ASan) on Linux x86_64 systems.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Impact Analysis

This vulnerability impacts the availability of the affected software by causing crashes during error message generation due to out-of-bounds reads.

It does not affect confidentiality or integrity, and exploitation requires local access, making remote attacks impossible.

Since the exploit is publicly available and easy to perform locally, it poses a risk of denial of service by crashing the application.

No patches or mitigations are currently available, and the project maintainers have not responded to the issue.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability is a heap-buffer underflow in the Lily interpreter's error reporting function patch_line_end, triggered locally during error message generation. Detection involves reproducing the crash using a crafted input file and running Lily with AddressSanitizer (ASan) enabled to catch the out-of-bounds read."}, {'type': 'paragraph', 'content': 'A suggested detection method is to build Lily with ASan enabled and run it with a specially crafted input file (such as repro.lily) that triggers the vulnerability. The ASan output will report a read violation one byte before the allocated heap buffer.'}, {'type': 'paragraph', 'content': 'Example commands include:'}, {'type': 'list_item', 'content': 'Build Lily with ASan enabled (example for Linux x86_64 with Clang):'}, {'type': 'list_item', 'content': 'clang -fsanitize=address -g -O1 -o lily_binary src/*.c'}, {'type': 'list_item', 'content': 'Run Lily with the crafted input file that triggers the crash:'}, {'type': 'list_item', 'content': './lily_binary repro.lily'}, {'type': 'paragraph', 'content': 'If ASan detects the out-of-bounds read, it will output an error message indicating a heap-buffer underflow in patch_line_end.'}] [1, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there are no known patches or official mitigations available for this vulnerability as the project maintainers have not responded yet.

Since the vulnerability requires local access and affects availability by causing crashes, immediate mitigation steps include:

• Restrict local access to the affected system to trusted users only.
• Avoid running the vulnerable version of FascinatedBox lily (up to 2.3) in untrusted environments.
• Consider replacing the affected software with an alternative that does not have this vulnerability.

Monitoring for any updates or patches from the project is recommended.

Useful 0 Not Useful 0