Cyber Resilience

CVE-2026-3285

LowPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 1.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.7th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3285 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Berry-Lang Berry. Its CVSS base score is 1.9 (Low).

Operationally, ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3285 is an out-of-bounds read vulnerability affecting berry-lang berry versions up to 1.1.0, specifically in the scan_string function within the file src/be_lexer.c. The issue stems from improper memory bounds handling, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). It was published on 2026-02-27.

Exploitation requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N) and unchanged scope (S:U). A successful attack results in low confidentiality impact (C:L) through unauthorized memory reads, with no effects on integrity (I:N) or availability (A:N), yielding a CVSS v3.1 base score of 3.3. Local attackers with basic access can trigger the vulnerability.

Mitigation involves applying the patch at commit 7149c59a39ba44feca261b12f06089f265fec176, which is the recommended fix. Details are documented in the berry-lang GitHub repository, including issue #509, pull request #511, and a public exploit reproduction at https://github.com/oneafter/0211/blob/main/be/repro.

The exploit has been publicly disclosed and may be utilized by attackers.

EU & UK References

Vulnerability details

A vulnerability was determined in berry-lang berry up to 1.1.0. The affected element is the function scan_string of the file src/be_lexer.c. This manipulation causes out-of-bounds read. The attack requires local access. The exploit has been publicly disclosed and may be…

more

utilized. Patch name: 7149c59a39ba44feca261b12f06089f265fec176. Applying a patch is the recommended action to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3386Shared CWE-119, CWE-125
CVE-2026-3283Shared CWE-119, CWE-125
CVE-2026-2705Shared CWE-119, CWE-125
CVE-2026-2659Shared CWE-119, CWE-125
CVE-2025-2755Shared CWE-119, CWE-125
CVE-2026-2858Shared CWE-119, CWE-125
CVE-2025-2753Shared CWE-119, CWE-125
CVE-2025-2751Shared CWE-119, CWE-125
CVE-2026-3731Shared CWE-119, CWE-125
CVE-2026-3663Shared CWE-119, CWE-125

Affected Assets

berry-lang
berry
1.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory bounds protection to block the out-of-bounds read in scan_string.

prevent

Requires prompt application of the published patch (commit 7149c59) that eliminates the lexer flaw.

prevent

Input validation at the lexer boundary can reject malformed strings that trigger the OOB read.

References