A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patchlineend of the file src/lilybuilderror.c of the component Error Reporting. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"cwe_ids": [
"CWE-119",
"CWE-125"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3390.json",
"cna_assigner": "VulDB"
}{
"cpe": "cpe:2.3:a:lily-lang:lily:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "2.0"
},
{
"last_affected": "2.0"
},
{
"introduced": "2.1"
},
{
"last_affected": "2.1"
},
{
"introduced": "2.2"
},
{
"last_affected": "2.2"
},
{
"introduced": "2.3"
},
{
"last_affected": "2.3"
},
{
"introduced": "0"
}
],
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}