CVE-2026-2660
Published: 18 February 2026
Summary
CVE-2026-2660 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Lily-Lang Lily. Its CVSS base score is 3.3 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.
Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.
Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.
Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in local lily interpreter directly enables application crash/DoS via crafted input, mapping to T1499.004 Application or System Exploitation; no RCE, priv-esc, or remote vectors per description.
NVD Description
A vulnerability was identified in FascinatedBox lily up to 2.3. Affected by this issue is the function shorthash_for_name of the file src/lily_symtab.c. The manipulation leads to use after free. Local access is required to approach this attack. The exploit is…
more
publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-2660 is a use-after-free vulnerability affecting FascinatedBox lily versions up to 2.3. The issue resides in the shorthash_for_name function within the src/lily_symtab.c file. It is classified under CWE-119 (improper restriction of operations within the bounds of a memory buffer) and CWE-416 (use after free), with a CVSS v3.1 base score of 3.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L), indicating low severity primarily due to its local attack vector and limited impact to availability.
Exploitation requires local access on the target system, with an attacker needing low privileges (PR:L). A successful exploit can trigger a use-after-free condition, leading to a denial-of-service such as application crash or instability, but without impacts to confidentiality or integrity. A public proof-of-concept exploit is available, demonstrating the issue via a reproducible test case.
Advisories note that the project was notified early through GitHub issue #385 but has not yet responded or issued patches. References including the FascinatedBox/lily repository, the issue tracker, a public reproducer at oneafter/0122/blob/main/i385/repro.lily, and VulDB entries (ctiid.346458 and id.346458) provide further details, but no mitigations or fixes are currently available. Security practitioners should monitor the repository for updates and consider restricting local access or usage of affected lily versions.
Details
- CWE(s)