CVE-2026-3285 identifies a security vulnerability in the berry-lang interpreter, an embeddable scripting language designed for resource-constrained environments. The vulnerability exists in the scan_string function within the lexer component (src/be_lexer.c) and manifests as an out-of-bounds read condition. This occurs when the function improperly handles string scanning, allowing it to read memory beyond the allocated buffer. The flaw requires local access and low privileges, meaning an attacker must have some level of access to the system but does not require elevated permissions or user interaction to exploit. The out-of-bounds read can lead to unauthorized disclosure of memory contents, potentially exposing sensitive data such as cryptographic keys, passwords, or other confidential information residing in adjacent memory. The vulnerability affects berry-lang versions 1.0 and 1.1.0. The CVSS v4.0 base score is 4.8, reflecting a medium severity level due to the limited attack vector (local access) and the absence of integrity or availability impacts. A patch identified by commit 7149c59a39ba44feca261b12f06089f265fec176 has been released to fix this issue. While no known exploits have been observed in the wild, the public disclosure of the vulnerability increases the risk of exploitation attempts. Organizations embedding berry-lang in their products or using it for scripting should apply the patch promptly to prevent potential data leakage.

The primary impact of CVE-2026-3285 is the potential unauthorized disclosure of sensitive information due to out-of-bounds memory reads. This can compromise confidentiality by exposing internal memory contents that may include sensitive data such as credentials, cryptographic material, or proprietary information. Since the vulnerability requires local access and low privileges, the risk is somewhat mitigated by the need for an attacker to have initial foothold on the system. However, in environments where berry-lang is embedded in critical systems or used in multi-tenant or shared environments, this vulnerability could facilitate lateral movement or privilege escalation by leaking information useful for further attacks. There is no direct impact on data integrity or system availability. The scope is limited to systems running vulnerable versions of berry-lang, which may be embedded in IoT devices, lightweight applications, or specialized software. Failure to patch could lead to increased risk of data breaches and compromise of system confidentiality in affected environments.

To mitigate CVE-2026-3285, organizations should immediately apply the official patch identified by commit 7149c59a39ba44feca261b12f06089f265fec176 or upgrade to a berry-lang version beyond 1.1.0 that includes the fix. Since the vulnerability requires local access, it is critical to enforce strict access controls and limit user privileges to reduce the risk of unauthorized local exploitation. Employing application whitelisting and monitoring for unusual local activity can help detect exploitation attempts. Additionally, conduct code audits and testing on any custom integrations of berry-lang to identify potential misuse of the scan_string function or similar parsing routines. For embedded systems, ensure secure firmware update mechanisms are in place to deploy patches promptly. Network segmentation and endpoint protection can further reduce the attack surface by isolating vulnerable systems. Finally, maintain an inventory of all systems using berry-lang to prioritize patching and risk assessment.