CVE-2026-3391

EUVD-2026-9126
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clear_storages of the file src/lily_emitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.3 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
lily-langlily
𝑥
≤ 2.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/FascinatedBox/lily/
https://github.com/FascinatedBox/lily/issues/383
https://github.com/oneafter/0122/blob/main/i383/repro.lily
https://vuldb.com/?ctiid.348277
https://vuldb.com/?id.348277
https://vuldb.com/?submit.761327