Vulnerability Description
A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lily-Lang | Lily | <= 2.3 |
Related Weaknesses (CWE)
References
- https://github.com/FascinatedBox/lily/Product
- https://github.com/FascinatedBox/lily/issues/382ExploitIssue TrackingVendor Advisory
- https://github.com/oneafter/0122/blob/main/i382/repro.lilyExploit
- https://vuldb.com/?ctiid.348276Permissions RequiredVDB Entry
- https://vuldb.com/?id.348276Third Party AdvisoryVDB Entry
- https://vuldb.com/?submit.761326Third Party AdvisoryVDB Entry
FAQ
What is CVE-2026-3390?
CVE-2026-3390 is a vulnerability with a CVSS score of 3.3 (LOW). A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation lea...
How severe is CVE-2026-3390?
CVE-2026-3390 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-3390?
Check the references section above for vendor advisories and patch information. Affected products include: Lily-Lang Lily.