CVE-2026-2887 identifies a vulnerability in the aardappel lobster library, specifically in the lobster::TypeName function located in dev/src/lobster/idents.h. The vulnerability arises from uncontrolled recursion triggered by crafted inputs, which causes the function to recurse indefinitely or until system resource limits are reached. This uncontrolled recursion can lead to denial of service by exhausting stack or CPU resources. The attack vector is local, requiring an attacker to have access to the system and the ability to invoke the vulnerable function with malicious parameters. The vulnerability affects aardappel lobster versions 2025.0 through 2025.4. The CVSS 4.0 base score is 4.8, reflecting a medium severity due to the local attack vector and limited impact scope. No authentication is required beyond local access, and no user interaction is needed. The vulnerability does not compromise confidentiality or integrity but impacts availability by causing potential crashes or system instability. The issue has been publicly disclosed, and a patch is available in version 2026.1, identified by commit 8ba49f98ccfc9734ef352146806433a41d9f9aa6. Organizations using the affected versions should upgrade promptly to remediate the risk.

The primary impact of CVE-2026-2887 is on system availability. Exploitation results in uncontrolled recursion, which can cause stack overflows, CPU exhaustion, or application crashes, leading to denial of service conditions. While the vulnerability does not directly expose sensitive data or allow privilege escalation, the resulting service disruption can affect operational continuity, especially in environments relying on the aardappel lobster library for critical functions. Since exploitation requires local access and low privileges, the threat is limited to scenarios where an attacker already has some foothold on the system. However, in multi-tenant or shared environments, this could be leveraged to disrupt services for other users. The public disclosure increases the risk of exploitation attempts, although no known exploits are currently reported in the wild. Organizations with development or runtime environments using the affected versions should consider the impact on availability and plan timely patching to avoid potential service interruptions.

To mitigate CVE-2026-2887, organizations should upgrade the aardappel lobster library to version 2026.1 or later, which contains the patch addressing uncontrolled recursion in lobster::TypeName. Until the upgrade can be applied, restrict local access to trusted users only, minimizing the risk of exploitation by unauthorized personnel. Implement monitoring for unusual resource consumption patterns or application crashes related to the lobster library to detect potential exploitation attempts early. Conduct code reviews and static analysis on any custom integrations invoking lobster::TypeName to ensure inputs are sanitized and do not trigger recursive calls. In environments where upgrading immediately is not feasible, consider applying runtime protections such as stack size limits or recursion depth checks if supported by the platform. Maintain an inventory of systems using the affected versions to prioritize patch deployment. Finally, educate local users and administrators about the risk to prevent inadvertent triggering of the vulnerability.