CVE-2026-3390 – This vulnerability allows local attackers to pe... (How to Fix)

Q: What is the severity of CVE-2026-3390?

CVE-2026-3390 has a CVSS score of 3.3 (LOW). This vulnerability allows local attackers to perform out-of-bounds read operations in FascinatedBox lily's error reporting component. The flaw could potentially leak sensitive memory contents or cause application crashes. Only users running lily versions up to 2.3 are affected.

📋 TL;DR

This vulnerability allows local attackers to perform out-of-bounds read operations in FascinatedBox lily's error reporting component. The flaw could potentially leak sensitive memory contents or cause application crashes. Only users running lily versions up to 2.3 are affected.

💻 Affected Systems

Products:

FascinatedBox lily

Versions: Up to version 2.3

Operating Systems: All platforms running lily

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default

📦 What is this software?

Lily by Lily Lang

View all CVEs affecting Lily →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potential application crash leading to denial of service, or as a stepping stone for further exploitation

🟠

Likely Case

Application crash or instability when processing malformed input in error reporting scenarios

🟢

If Mitigated

Limited impact due to local-only exploitation requirement and low CVSS score

🌐 Internet-Facing: LOW - Attack requires local access to the system

🏢 Internal Only: MEDIUM - Local users could exploit this to crash applications or potentially leak information

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and specific triggering conditions in error reporting

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Monitor the GitHub repository for updates. Consider workarounds or alternative software if critical.

🔧 Temporary Workarounds

Disable or restrict lily usage

all

Remove or restrict execution of lily applications to trusted users only

chmod 750 /path/to/lily
chown root:root /path/to/lily

Implement strict input validation

all

Ensure all input to lily applications is properly validated before processing

🧯 If You Can't Patch

Implement strict access controls to limit who can execute lily applications
Monitor systems for abnormal application crashes or memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check lily version with 'lily --version' or examine installed package version

Check Version:

lily --version

Verify Fix Applied:

Verify version is above 2.3 or check for updated package from vendor

📡 Detection & Monitoring

Log Indicators:

Application crashes of lily processes
Memory access violation errors in system logs

Network Indicators:

None - local-only vulnerability

SIEM Query:

Process:lily AND (EventID:1000 OR EventID:1001 OR "segmentation fault" OR "access violation")

📊 Metadata

CVE ID: CVE-2026-3390

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-119

Published: March 1, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/FascinatedBox/lily/ Product
https://github.com/FascinatedBox/lily/issues/382 Exploit,Issue Tracking,Vendor Advisory
https://github.com/oneafter/0122/blob/main/i382/repro.lily Exploit
https://vuldb.com/?ctiid.348276 Permissions Required,VDB Entry
https://vuldb.com/?id.348276 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.761326 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3390, you might also want to check these: