Login Sign Up

CVE-2026-2887

3.3 LOW
Denial of Service

📋 TL;DR

This vulnerability in aardappel lobster allows uncontrolled recursion in the TypeName function, which could lead to denial of service or potentially arbitrary code execution. Only affects users of aardappel lobster up to version 2025.4. The attack requires local access to the system.

💻 Affected Systems

Products:
  • aardappel lobster
Versions: Up to and including 2025.4
Operating Systems: All platforms running aardappel lobster
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable. The vulnerability is in the core library code.

📦 What is this software?

Lobster by Strlen

View all CVEs affecting Lobster →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker could cause denial of service through resource exhaustion or potentially execute arbitrary code with the privileges of the lobster process.

🟠

Likely Case

Denial of service through stack overflow or excessive resource consumption, crashing the lobster application.

🟢

If Mitigated

Minimal impact if proper access controls limit local user privileges and lobster runs with minimal permissions.

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely.
🏢 Internal Only: MEDIUM - Local users could exploit this to disrupt services or potentially escalate privileges if lobster runs with elevated permissions.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit has been publicly disclosed and requires local access. Attack complexity is low once local access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.1

Vendor Advisory: https://github.com/aardappel/lobster/releases/tag/v2026.1

Restart Required: Yes

Instructions:

1. Download version 2026.1 from GitHub releases. 2. Replace existing lobster installation with new version. 3. Restart any services using lobster.

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable lobster versions

Run with minimal privileges

all

Ensure lobster processes run with lowest necessary privileges

🧯 If You Can't Patch

  • Implement strict access controls to limit local user access to affected systems
  • Monitor for abnormal resource consumption or crashes in lobster processes

🔍 How to Verify

Check if Vulnerable:

Check lobster version: if version is 2025.4 or earlier, system is vulnerable.

Check Version:

lobster --version

Verify Fix Applied:

Verify version is 2026.1 or later using version check command.

📡 Detection & Monitoring

Log Indicators:

  • Repeated crashes of lobster processes
  • Stack overflow errors in application logs
  • Abnormal memory or CPU consumption by lobster

Network Indicators:

  • None - local-only vulnerability

SIEM Query:

Process:lobster AND (EventID:1000 OR EventID:1001) OR Process:lobster AND (MemoryUsage > 90% OR CPUUsage > 90%)

📊 Metadata

CVE ID: CVE-2026-2887
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
Published: February 21, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2887, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)