CVE-2026-3392
Received Received - Intake
Null Pointer Dereference in FascinatedBox lily eval_tree Function

Publication date: 2026-03-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in FascinatedBox lily up to 2.3. The affected element is the function eval_tree of the file src/lily_emitter.c. This manipulation causes null pointer dereference. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3392
EUVD
EUVD-2026-9127
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lily-lang lily to 2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3392 is a NULL Pointer Dereference vulnerability found in FascinatedBox lily versions up to 2.3. It occurs in the function eval_tree within the source file src/lily_emitter.c. The vulnerability is triggered when eval_tree is called by eval_build_hash during the evaluation of a Hash structure, and a NULL Abstract Syntax Tree (AST) node pointer is passed to eval_tree. This causes the function to attempt to access a struct member through a NULL pointer, leading to a segmentation fault or crash of the interpreter.

The root cause is malformed hash literals in the source code where either a key or value expression is missing or invalid, resulting in a NULL AST node being processed. This vulnerability can be exploited locally and has a publicly available proof-of-concept exploit.

Impact Analysis

This vulnerability can cause the Lily interpreter to crash due to a NULL pointer dereference, resulting in a denial of service or instability in applications that rely on it. Since the crash affects availability, it can disrupt normal operations of software using the affected version of Lily.

The attack requires local access and is considered easy to exploit, meaning an attacker with local privileges could trigger the crash to interrupt service.

Compliance Impact

I don't know

Detection Guidance

This vulnerability causes a NULL pointer dereference leading to a crash or segmentation fault in the Lily interpreter when processing malformed hash literals. Detection involves running the vulnerable Lily interpreter with crafted inputs that trigger the crash.

One way to detect the vulnerability is to execute the provided proof-of-concept exploit file (e.g., repro.lily) against the Lily interpreter and observe if it crashes with a segmentation fault or null pointer dereference error.

A suggested command to test this on a Linux system where Lily is installed and built with AddressSanitizer (ASan) enabled is:

  • clang -fsanitize=address -g -O2 -o lily src/lily_emitter.c (to build with ASan if source is available)
  • ./lily repro.lily

If the interpreter crashes with an ASan report or segmentation fault referencing a NULL pointer dereference in eval_tree, the vulnerability is present.

Mitigation Strategies

Since the vulnerability requires local access and the project has not yet provided a patch or response, immediate mitigation steps include avoiding running untrusted or malformed hash literals in the Lily interpreter.

It is recommended to consider replacing the affected software with an alternative product if possible, as no official fix or workaround is currently available.

Additionally, restricting local access to the system running the vulnerable Lily interpreter can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart