CVE-2026-3391 – CVE-2026-3391 is an out-of-bounds read vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-3391?

CVE-2026-3391 has a CVSS score of 3.3 (LOW). CVE-2026-3391 is an out-of-bounds read vulnerability in the clear_storages function of FascinatedBox lily up to version 2.3. This flaw allows local attackers to read memory beyond allocated buffers, potentially exposing sensitive information. Only systems running vulnerable versions of lily with local access are affected.

📋 TL;DR

CVE-2026-3391 is an out-of-bounds read vulnerability in the clear_storages function of FascinatedBox lily up to version 2.3. This flaw allows local attackers to read memory beyond allocated buffers, potentially exposing sensitive information. Only systems running vulnerable versions of lily with local access are affected.

💻 Affected Systems

Products:

FascinatedBox lily

Versions: Up to and including 2.3

Operating Systems: All platforms running lily

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of lily up to 2.3 are vulnerable if the clear_storages function is called.

📦 What is this software?

Lily by Lily Lang

View all CVEs affecting Lily →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker reads sensitive memory contents, potentially exposing credentials, cryptographic keys, or other confidential data stored in process memory.

🟠

Likely Case

Information disclosure of limited memory contents, possibly causing application instability or crashes.

🟢

If Mitigated

Minimal impact with proper access controls preventing unauthorized local access to vulnerable systems.

🌐 Internet-Facing: LOW - Attack requires local access, not remotely exploitable.

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this for information disclosure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on GitHub, but requires local access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor the GitHub repository for updates: https://github.com/FascinatedBox/lily/

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable lily versions

Disable or remove lily

linux

Remove lily from systems where it's not essential

# Linux: sudo apt remove lily or equivalent for your package manager

🧯 If You Can't Patch

Implement strict access controls to prevent unauthorized local users from accessing systems running lily
Monitor systems for unusual local user activity and memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check lily version with: lily --version or check installed package version

Check Version:

lily --version

Verify Fix Applied:

Verify lily version is greater than 2.3 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults in lily processes
Unusual memory access patterns in system logs

Network Indicators:

No network indicators - local exploit only

SIEM Query:

Process execution of lily with version <= 2.3 OR Application crashes from lily process

📊 Metadata

CVE ID: CVE-2026-3391

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-119

Published: March 1, 2026

Last Updated: March 4, 2026

🔗 References

https://github.com/FascinatedBox/lily/ Product
https://github.com/FascinatedBox/lily/issues/383 Exploit,Issue Tracking,Vendor Advisory
https://github.com/oneafter/0122/blob/main/i383/repro.lily Exploit
https://vuldb.com/?ctiid.348277 Permissions Required,VDB Entry
https://vuldb.com/?id.348277 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.761327 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-3391, you might also want to check these: