CVE-2026-3390 PUBLISHED

A vulnerability was identified in FascinatedBox lily up to 2.3. This issue affects the function patch_line_end of the file src/lily_build_error.c of the component Error Reporting. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

• Oneafter (VulDB User) reporter

• VDB-348276 | FascinatedBox lily Error Reporting lily_build_error.c patch_line_end out-of-bounds
• VDB-348276 | CTI Indicators (IOB, IOC, IOA)
• Submit #761326 | FascinatedBox lily main-branch Heap-based Buffer Overflow
• https://github.com/FascinatedBox/lily/issues/382
• https://github.com/oneafter/0122/blob/main/i382/repro.lily
• https://github.com/FascinatedBox/lily/

• Out-of-Bounds Read CWE
• Memory Corruption CWE