CVE-2026-3382
📋 TL;DR
A memory corruption vulnerability exists in ChaiScript's Boxed_Number::get_as function that allows local attackers to potentially execute arbitrary code or crash applications. This affects all users of ChaiScript up to version 6.1.0 who run untrusted scripts. The vulnerability requires local access to exploit.
💻 Affected Systems
- ChaiScript
📦 What is this software?
Chaiscript by Chaiscript
⚠️ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise through arbitrary code execution.
Likely Case
Application crash (denial of service) or limited memory corruption affecting script execution.
If Mitigated
Minimal impact if proper sandboxing and privilege separation are implemented.
🎯 Exploit Status
Exploit requires local access and knowledge of vulnerable function usage. Public exploit code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
No official patch available. Monitor ChaiScript GitHub repository for updates. Consider alternative mitigations.
🔧 Temporary Workarounds
Disable Untrusted Script Execution
allPrevent execution of untrusted ChaiScript code in applications
Application-specific configuration required
Sandbox ChaiScript Execution
linuxRun ChaiScript in isolated containers or sandboxed environments
docker run --security-opt=no-new-privileges -it your_app
firejail --private your_app
🧯 If You Can't Patch
- Implement strict input validation for all ChaiScript inputs
- Run ChaiScript applications with minimal privileges and in isolated environments
🔍 How to Verify
Check if Vulnerable:
Check ChaiScript version in your application dependencies or build configurationCheck Version:
Check your build system or package manager for ChaiScript versionVerify Fix Applied:
Verify ChaiScript version is greater than 6.1.0 when patch becomes available📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory corruption errors
- Unexpected termination of ChaiScript processes
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
Process termination events for ChaiScript applications with memory-related error codes