Cyber Resilience

CVE-2026-3386

MediumPublic PoC

Published: 01 March 2026

Published
01 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3386 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Wren Wren. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3386 is an out-of-bounds read vulnerability in the Wren programming language virtual machine, specifically affecting versions up to 0.4.0 of the wren-lang/wren project. The flaw resides in the emitOp function within the file src/vm/wren_compiler.c, which can be triggered to read data beyond allocated memory bounds. This issue is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), with a CVSS v3.1 base score of 3.3 indicating low severity.

Exploitation requires local access to the host (AV:L), low privileges (PR:L), and low attack complexity (AC:L) with no user interaction needed (UI:N). An attacker with these conditions can launch the attack locally, potentially causing a denial of service due to the low-impact availability disruption (A:L), while confidentiality and integrity remain unaffected (C:N/I:N) within the unchanged scope (S:U).

References indicate that an exploit has been publicly disclosed at https://github.com/oneafter/0122/blob/main/i1219/repro, and the project was notified early via GitHub issue #1219 at https://github.com/wren-lang/wren/issues/1219, but has not yet responded. No patches or official mitigations are mentioned in the available advisories from sources like VulDB (https://vuldb.com/?ctiid.348272 and https://vuldb.com/?id.348272). Practitioners should monitor the Wren repository at https://github.com/wren-lang/wren/ for updates and avoid using affected versions in local environments.

EU & UK References

Vulnerability details

A flaw has been found in wren-lang wren up to 0.4.0. Affected by this vulnerability is the function emitOp of the file src/vm/wren_compiler.c. This manipulation causes out-of-bounds read. It is possible to launch the attack on the local host. The…

more

exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in local Wren VM/compiler enables application crash/DoS via direct exploitation of memory bounds flaw (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2858Same product: Wren Wren
CVE-2026-2659Shared CWE-119, CWE-125
CVE-2026-3731Shared CWE-119, CWE-125
CVE-2026-3663Shared CWE-119, CWE-125
CVE-2026-5315Shared CWE-119, CWE-125
CVE-2026-5314Shared CWE-119, CWE-125
CVE-2026-2662Shared CWE-119, CWE-125
CVE-2026-2644Shared CWE-119, CWE-125
CVE-2025-24265Shared CWE-125
CVE-2024-52923Shared CWE-119

Affected Assets

wren
wren
≤ 0.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory bounds checking and protections that block the out-of-bounds read in emitOp.

prevent

Requires timely application of patches to the vulnerable wren_compiler.c once fixes are released for versions <= 0.4.0.

prevent

Restricts execution of the affected Wren VM or compiler module, limiting exposure to the local out-of-bounds read flaw.

References