CVE-2026-2662 identifies a security weakness in FascinatedBox lily, an open-source or proprietary software product, affecting versions 2.0 through 2.3. The vulnerability resides in the count_transforms function located in the source file src/lily_emitter.c. It manifests as an out-of-bounds read, where the function reads memory outside the allocated buffer boundaries. This type of vulnerability can lead to information disclosure by allowing an attacker to access sensitive data stored adjacent to the intended memory region. The attack vector is local, meaning an attacker must have local system access with limited privileges (PR:L). No user interaction or authentication bypass is required, and the attack complexity is low (AC:L). The CVSS 4.0 vector indicates no impact on confidentiality, integrity, or availability directly (VC:N/VI:N/VA:L), but the vulnerability can leak information (VA:L). The exploit code has been publicly disclosed, increasing the risk of exploitation, although no active exploitation in the wild has been reported. The vendor FascinatedBox was informed early but has not responded or released a patch, leaving systems vulnerable. This vulnerability is particularly relevant for environments where lily is used in local development, testing, or production scenarios where local user access is possible.

For European organizations, the primary impact of CVE-2026-2662 is the potential for local attackers to read sensitive memory contents, which could include cryptographic keys, credentials, or proprietary data depending on the memory layout. While the vulnerability does not directly allow remote exploitation or privilege escalation, it poses a risk in multi-user systems or environments where untrusted users have local access. This could lead to information leakage that facilitates further attacks or insider threats. Organizations in sectors such as software development, research, or critical infrastructure that utilize FascinatedBox lily may face increased risk if local access controls are weak. The lack of a patch increases exposure duration, and public exploit availability raises the likelihood of opportunistic attacks. The medium severity rating suggests moderate risk but warrants timely mitigation to prevent escalation or data compromise.

European organizations should implement strict local access controls to limit who can execute or interact with FascinatedBox lily binaries. Employing mandatory access control (MAC) systems such as SELinux or AppArmor can restrict the process's ability to read arbitrary memory. Monitoring and auditing local user activities can help detect suspicious attempts to exploit the vulnerability. Until an official patch is released, consider isolating lily usage to trusted environments or containers to minimize exposure. If feasible, review and modify the source code to add bounds checking in the count_transforms function or apply community patches if available. Regularly check for vendor updates or advisories and plan for prompt patch deployment once available. Additionally, educate local users about the risks of executing untrusted code or commands on systems running lily.