CVE-2026-3392
Null Pointer Dereference in FascinatedBox lily eval_tree Function
Publication date: 2026-03-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lily-lang | lily | to 2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3392 is a NULL Pointer Dereference vulnerability found in FascinatedBox lily versions up to 2.3. It occurs in the function eval_tree within the source file src/lily_emitter.c. The vulnerability is triggered when eval_tree is called by eval_build_hash during the evaluation of a Hash structure, and a NULL Abstract Syntax Tree (AST) node pointer is passed to eval_tree. This causes the function to attempt to access a struct member through a NULL pointer, leading to a segmentation fault or crash of the interpreter.
The root cause is malformed hash literals in the source code where either a key or value expression is missing or invalid, resulting in a NULL AST node being processed. This vulnerability can be exploited locally and has a publicly available proof-of-concept exploit.
How can this vulnerability impact me? :
This vulnerability can cause the Lily interpreter to crash due to a NULL pointer dereference, resulting in a denial of service or instability in applications that rely on it. Since the crash affects availability, it can disrupt normal operations of software using the affected version of Lily.
The attack requires local access and is considered easy to exploit, meaning an attacker with local privileges could trigger the crash to interrupt service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a NULL pointer dereference leading to a crash or segmentation fault in the Lily interpreter when processing malformed hash literals. Detection involves running the vulnerable Lily interpreter with crafted inputs that trigger the crash.
One way to detect the vulnerability is to execute the provided proof-of-concept exploit file (e.g., repro.lily) against the Lily interpreter and observe if it crashes with a segmentation fault or null pointer dereference error.
A suggested command to test this on a Linux system where Lily is installed and built with AddressSanitizer (ASan) enabled is:
- clang -fsanitize=address -g -O2 -o lily src/lily_emitter.c (to build with ASan if source is available)
- ./lily repro.lily
If the interpreter crashes with an ASan report or segmentation fault referencing a NULL pointer dereference in eval_tree, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Since the vulnerability requires local access and the project has not yet provided a patch or response, immediate mitigation steps include avoiding running untrusted or malformed hash literals in the Lily interpreter.
It is recommended to consider replacing the affected software with an alternative product if possible, as no official fix or workaround is currently available.
Additionally, restricting local access to the system running the vulnerable Lily interpreter can reduce the risk of exploitation.