CVE-2026-3391
Received Received - Intake
Out-of-Bounds Read in FascinatedBox lily clear_storages Function

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clear_storages of the file src/lily_emitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3391
EUVD
EUVD-2026-9126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lily-lang lily to 2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3391 is a heap-based out-of-bounds read vulnerability in the FascinatedBox Lily interpreter, specifically in the function clear_storages within the file src/lily_emitter.c.

The vulnerability is caused by an off-by-one error in the iteration loop of clear_storages, which accesses memory just beyond the allocated buffer boundary (128 bytes). This happens when cleaning up storage slots while leaving a lambda block.

This out-of-bounds read can lead to memory corruption or crashes due to improper bounds checking during storage cleanup.

The issue requires local access to exploit and has been publicly disclosed with a proof-of-concept exploit available.

Impact Analysis

This vulnerability can cause memory corruption or crashes in the Lily interpreter when exiting lambda blocks, potentially affecting system stability.

Since the exploit requires local access, an attacker with local privileges could trigger the out-of-bounds read to disrupt availability or cause undefined behavior.

The impact is considered low severity with a CVSSv3 base score of 3.3, but it still poses a risk to system availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability manifests as an out-of-bounds read in the function clear_storages of the Lily interpreter, causing a heap-buffer-overflow detected by AddressSanitizer (ASAN). Detection involves running Lily compiled with ASAN enabled and observing ASAN reports for read violations at the boundary of the allocated buffer.

To detect the vulnerability on your system, you can build the Lily interpreter with Release mode and ASAN enabled, then run the provided test file repro.lily which triggers the overflow.

Suggested detection steps include:

  • Compile Lily with Clang in Release mode with AddressSanitizer enabled.
  • Run the interpreter with the repro.lily test file to trigger the vulnerability.
  • Monitor ASAN output for read violations indicating out-of-bounds access.
Mitigation Strategies

Currently, no official patches or countermeasures have been provided by the project to mitigate this vulnerability.

Immediate mitigation steps include:

  • Restrict local access to the system running the vulnerable Lily interpreter, as exploitation requires local execution.
  • Consider using alternative products or versions not affected by this vulnerability.
  • Monitor for updates or patches from the project or community.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart