Login Sign Up

CVE-2026-2258

3.3 LOW
Buffer Overflow

📋 TL;DR

CVE-2026-2258 is a memory corruption vulnerability in aardappel lobster's WaveFunctionCollapse function that allows local attackers to execute arbitrary code or cause denial of service. The vulnerability affects aardappel lobster versions up to 2025.4. Attackers must have local access to the system to exploit this flaw.

💻 Affected Systems

Products:
  • aardappel lobster
Versions: Up to and including 2025.4
Operating Systems: All platforms running aardappel lobster
Default Config Vulnerable: ⚠️ Yes
Notes: All installations using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Lobster by Strlen

View all CVEs affecting Lobster →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crash or denial of service affecting the lobster process.

🟢

If Mitigated

Limited impact with proper privilege separation and minimal user access.

🌐 Internet-Facing: LOW - Requires local access, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local attackers could compromise systems, but requires existing access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit code is publicly available in GitHub repositories, making exploitation straightforward for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in commit c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd

Vendor Advisory: https://github.com/aardappel/lobster/issues/395

Restart Required: Yes

Instructions:

1. Update aardappel lobster to version after 2025.4 or apply commit c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. 2. Rebuild from source if using source installation. 3. Restart any services using lobster.

🔧 Temporary Workarounds

Restrict local user access

linux

Limit which users can execute lobster applications to reduce attack surface

chmod 750 /path/to/lobster
setfacl -m u:trusteduser:rx /path/to/lobster

🧯 If You Can't Patch

  • Implement strict access controls to limit which users can run lobster applications
  • Monitor for abnormal process behavior or crashes related to lobster processes

🔍 How to Verify

Check if Vulnerable:

Check lobster version: lobster --version or examine source code for pre-patch wfc.h

Check Version:

lobster --version

Verify Fix Applied:

Verify commit c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd is present in git log

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults in lobster processes
  • Abnormal memory usage patterns
  • Unexpected process termination

Network Indicators:

  • None - local exploitation only

SIEM Query:

process_name:"lobster" AND (event_type:"segmentation_fault" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2026-2258
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-119
EPSS Score: 0.02% exploit probability (2.7th percentile)
Published: February 10, 2026
Last Updated: February 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2258, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)