CVE-2026-2887

21.02.2026, 21:16

A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDB	CNA	3.3 LOW				CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-404 - Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use.

References

https://github.com/aardappel/lobster/

https://github.com/aardappel/lobster/commit/8ba49f98ccfc9734ef352146806433a41d9f9aa6

https://github.com/aardappel/lobster/issues/397

https://github.com/aardappel/lobster/issues/397#issuecomment-3849015088

https://github.com/aardappel/lobster/releases/tag/v2026.1

https://github.com/oneafter/0204/blob/main/lob3/repro.lobster

https://vuldb.com/?ctiid.347181

https://vuldb.com/?id.347181

https://vuldb.com/?submit.755026