CVE-2026-2887 identifies a vulnerability in the aardappel lobster library, specifically in the lobster::TypeName function located in dev/src/lobster/idents.h. The flaw is caused by uncontrolled recursion triggered by crafted inputs or conditions within this function, leading to potential stack overflow or denial of service through resource exhaustion. The recursion is not properly bounded, allowing an attacker with local access and low privileges to induce this behavior. The vulnerability affects all versions up to 2025.4 and has been publicly disclosed, although no active exploitation has been reported. The vulnerability does not require user interaction and does not compromise confidentiality or integrity directly but impacts availability by causing application instability or crashes. The patch identified by commit 8ba49f98ccfc9734ef352146806433a41d9f9aa6 addresses this issue and is included in version 2026.1 of the lobster library. The CVSS 4.0 base score is 4.8, reflecting a medium severity level due to the local attack vector and limited impact scope. Organizations using this library in development or runtime environments should prioritize upgrading to the fixed version to prevent potential denial of service scenarios.

The primary impact of CVE-2026-2887 is on system availability. By exploiting uncontrolled recursion, an attacker with local access can cause the affected application or service to crash or become unresponsive, leading to denial of service conditions. This can disrupt development workflows or runtime operations relying on the lobster library. While the vulnerability does not directly expose sensitive data or allow privilege escalation, the resulting instability can affect dependent systems and services, potentially causing downtime or degraded performance. Organizations with critical systems using the affected versions may face operational disruptions, increased support costs, and potential reputational damage if service availability is impacted. Since exploitation requires local access, the threat is more relevant in environments where multiple users share access or where attackers have already gained limited footholds. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for remediation.

To mitigate CVE-2026-2887, organizations should upgrade the aardappel lobster library to version 2026.1 or later, which contains the patch fixing the uncontrolled recursion issue. Until the upgrade can be applied, restrict local access to systems running affected versions to trusted users only, minimizing the risk of exploitation. Implement monitoring for application crashes or unusual resource consumption patterns that may indicate attempted exploitation. Conduct code reviews and testing to identify any custom code invoking lobster::TypeName that might be vulnerable to crafted inputs. Employ runtime protections such as stack depth limits or recursion guards if supported by the environment. Additionally, maintain strict access controls and audit logs to detect and respond to unauthorized local access attempts. Regularly update and patch development and runtime environments to reduce exposure to similar vulnerabilities.