CVE-2026-2662 is a security vulnerability identified in the FascinatedBox lily software up to version 2.3. The flaw resides in the count_transforms function of the source file src/lily_emitter.c, where improper bounds checking leads to an out-of-bounds read condition. This vulnerability allows an attacker with local access and limited privileges to read memory beyond the allocated buffer, potentially exposing sensitive information or causing application crashes. The vulnerability does not require user interaction or elevated privileges beyond local access, and it does not affect confidentiality, integrity, or availability directly but poses a risk of information leakage or destabilization. The vulnerability was responsibly disclosed early to the project maintainers, but no patch or response has been issued yet. The CVSS 4.0 vector indicates low attack complexity, no user interaction, and limited privileges required, resulting in a medium severity rating with a score of 4.8. No known exploits have been observed in the wild, but a public exploit is available, increasing the risk of local attacks. The vulnerability affects all versions from 2.0 to 2.3 inclusive, and the lack of a patch means users remain exposed. The issue is localized to a specific function, suggesting that exploitation requires some knowledge of the software and local access, limiting the attack surface primarily to insiders or compromised accounts.

The primary impact of CVE-2026-2662 is the potential for local attackers to read memory outside the intended bounds, which can lead to unauthorized disclosure of sensitive information or cause application instability and crashes. While it does not directly allow remote code execution or privilege escalation, the information leakage could be leveraged in multi-stage attacks to gain further access or escalate privileges. Organizations running FascinatedBox lily versions 2.0 to 2.3 on critical systems may face risks of data exposure or service disruption. Since the exploit requires local access, the threat is more significant in environments where multiple users share systems or where attackers have already gained limited footholds. The absence of a patch increases the window of vulnerability, and the availability of a public exploit code raises the likelihood of exploitation attempts. Overall, the impact is medium but could be elevated if combined with other vulnerabilities or in sensitive environments.

To mitigate CVE-2026-2662, organizations should first restrict local access to systems running FascinatedBox lily to trusted users only, minimizing the risk of local exploitation. Employ strict access controls and monitoring on affected systems to detect suspicious local activity. Since no official patch is currently available, consider applying temporary workarounds such as disabling or limiting the use of the count_transforms function if feasible. Conduct thorough code reviews and testing if custom modifications are possible to identify and fix out-of-bounds reads. Use memory protection mechanisms like Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to reduce exploitation impact. Maintain up-to-date backups and prepare incident response plans in case exploitation occurs. Continuously monitor official channels for patches or updates from FascinatedBox and apply them promptly once released. Additionally, consider isolating affected systems in segmented network zones to limit lateral movement in case of compromise.