CVE-2026-2660 is a use-after-free vulnerability found in FascinatedBox lily, an open-source project, affecting versions 2.0 through 2.3. The flaw resides in the function shorthash_for_name within the source file src/lily_symtab.c. This function improperly manages memory, leading to a use-after-free condition when manipulating internal data structures. Use-after-free vulnerabilities occur when a program continues to use memory after it has been freed, which can result in undefined behavior such as memory corruption, crashes, or execution of arbitrary code. Exploitation requires the attacker to have local access with low privileges, and no user interaction is necessary. The vulnerability does not require elevated privileges or authentication beyond local access, making it accessible to any local user or process. The exploit code has been publicly disclosed, increasing the risk of exploitation, although no active exploitation has been reported. The vendor has been notified but has not yet issued a patch or response. The CVSS 4.0 score of 4.8 reflects a medium severity, considering the local attack vector, low complexity, and lack of required user interaction. The vulnerability affects the confidentiality, integrity, and availability of systems running the affected versions of FascinatedBox lily, particularly in environments where local users or processes can execute code or access the application.

The primary impact of CVE-2026-2660 is the potential for local attackers to exploit the use-after-free vulnerability to cause memory corruption, leading to application crashes or potentially arbitrary code execution. This can compromise the integrity and availability of systems running FascinatedBox lily. In multi-user or shared environments, an unprivileged local user could leverage this flaw to escalate privileges or disrupt services. Although remote exploitation is not possible, the presence of a public exploit increases the risk of insider threats or attackers who have gained limited local access. Organizations relying on FascinatedBox lily for critical operations may face service interruptions or data integrity issues. The lack of vendor response and patch availability prolongs exposure, increasing the window of risk. However, the medium severity and local access requirement limit the scope compared to remote or unauthenticated vulnerabilities.

To mitigate CVE-2026-2660, organizations should implement strict local access controls to limit who can execute or interact with FascinatedBox lily, reducing the risk of local exploitation. Employing mandatory access controls (e.g., SELinux, AppArmor) can further restrict the application's capabilities and isolate it from other system components. Monitoring and auditing local user activities can help detect attempts to exploit the vulnerability. Until an official patch is released, consider running FascinatedBox lily in a sandboxed or containerized environment to contain potential damage. Review and update system user permissions to minimize unnecessary local access. Additionally, maintain up-to-date backups and prepare incident response plans for potential exploitation scenarios. Once the vendor releases a patch, prioritize timely application to eliminate the vulnerability. Finally, keep abreast of any updates from the vendor or security community regarding this issue.