CVE-2026-2662 – This vulnerability allows local attackers to pe... (How to Fix)

Q: What is the severity of CVE-2026-2662?

CVE-2026-2662 has a CVSS score of 3.3 (LOW). This vulnerability allows local attackers to perform out-of-bounds read attacks on FascinatedBox lily software up to version 2.3. The weakness in the count_transforms function could potentially leak sensitive memory information. Only systems running vulnerable versions of lily with local access are affected.

📋 TL;DR

This vulnerability allows local attackers to perform out-of-bounds read attacks on FascinatedBox lily software up to version 2.3. The weakness in the count_transforms function could potentially leak sensitive memory information. Only systems running vulnerable versions of lily with local access are affected.

💻 Affected Systems

Products:

FascinatedBox lily

Versions: up to 2.3

Operating Systems: All platforms running lily

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default

📦 What is this software?

Lily by Lily Lang

View all CVEs affecting Lily →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation or sensitive information disclosure through memory content leakage

🟠

Likely Case

Information disclosure of adjacent memory contents, potentially revealing sensitive data

🟢

If Mitigated

Limited impact due to local-only access requirement and memory randomization

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely

🏢 Internal Only: MEDIUM - Local users could exploit this to gain unauthorized information or potentially escalate privileges

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available in GitHub repository, but requires local access to execute

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Monitor the GitHub repository for updates: https://github.com/FascinatedBox/lily/

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable lily versions

Implement least privilege access controls
Review and restrict local user permissions

Disable or remove lily

all

Remove vulnerable software if not essential

sudo apt remove lily
sudo yum remove lily
brew uninstall lily

🧯 If You Can't Patch

Implement strict access controls to limit who can run lily locally
Monitor systems for unusual local process execution patterns

🔍 How to Verify

Check if Vulnerable:

Check lily version with: lily --version or check installed package version

Check Version:

lily --version

Verify Fix Applied:

Verify version is greater than 2.3 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

Unusual local process crashes
Memory access violation logs

Network Indicators:

None - local-only vulnerability

SIEM Query:

Process execution of lily with version <= 2.3 by local users

📊 Metadata

CVE ID: CVE-2026-2662

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-119

Published: February 18, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/FascinatedBox/lily/ Product
https://github.com/FascinatedBox/lily/issues/381 Exploit,Issue Tracking,Third Party Advisory
https://github.com/oneafter/0122/blob/main/i381/repro.lily Exploit
https://vuldb.com/?ctiid.346460 Permissions Required,VDB Entry
https://vuldb.com/?id.346460 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.753166 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2662, you might also want to check these: