CVE-2026-3383: Divide By Zero in ChaiScript
A weakness has been identified in ChaiScript up to 6.1.0. This affects the function chaiscript::Boxed_Number::go of the file include/chaiscript/dispatchkit/boxed_number.hpp. Executing a manipulation can lead to divide by zero. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AI Analysis
Technical Summary
CVE-2026-3383 identifies a divide-by-zero vulnerability in ChaiScript, an embedded scripting language commonly used to add scripting capabilities to C++ applications. The vulnerability resides in the function chaiscript::Boxed_Number::go within the file boxed_number.hpp. This function handles numeric operations, and due to insufficient input validation or error handling, it can perform a division by zero when manipulated by a local attacker. The attack requires local access with limited privileges and does not require user interaction or elevated rights. The flaw can cause the affected application to crash or behave unpredictably, leading to denial of service. The vulnerability affects ChaiScript versions 6.0 and 6.1.0. Although the issue was responsibly disclosed early, the project has not yet released a patch. Public exploit code is available, increasing the risk of exploitation in environments where ChaiScript is deployed locally. The CVSS 4.0 base score is 4.8, reflecting medium severity due to the limited attack vector and impact scope.
Potential Impact
The primary impact of this vulnerability is denial of service through application crashes caused by divide-by-zero errors. For organizations embedding ChaiScript in their software, this could lead to service interruptions, reduced reliability, and potential disruption of business operations. While the vulnerability does not directly lead to privilege escalation or data compromise, denial of service in critical systems could have cascading effects, especially in embedded or industrial control environments where ChaiScript might be used. Since exploitation requires local access, remote attackers cannot exploit this directly, limiting the threat to insiders or attackers who have already gained some foothold. However, the availability of public exploit code lowers the barrier for attackers with local access to cause disruption.
Mitigation Recommendations
Organizations should monitor for updates from the ChaiScript project and apply patches promptly once available. Until a patch is released, mitigations include restricting local access to systems running vulnerable versions of ChaiScript, enforcing strict access controls and user permissions to limit who can execute or manipulate scripts. Application developers should consider implementing input validation and error handling around numeric operations in their use of ChaiScript to prevent divide-by-zero conditions. Additionally, deploying runtime monitoring and crash detection can help identify exploitation attempts early. If possible, disabling or sandboxing scripting features that use ChaiScript can reduce the attack surface. Finally, conducting code audits and testing for similar numeric vulnerabilities in custom scripts or extensions is recommended.
Affected Countries
United States, Germany, Japan, South Korea, France, United Kingdom, Canada, Australia, China, India
CVE-2026-3383: Divide By Zero in ChaiScript
Description
A weakness has been identified in ChaiScript up to 6.1.0. This affects the function chaiscript::Boxed_Number::go of the file include/chaiscript/dispatchkit/boxed_number.hpp. Executing a manipulation can lead to divide by zero. The attack requires local access. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-3383 identifies a divide-by-zero vulnerability in ChaiScript, an embedded scripting language commonly used to add scripting capabilities to C++ applications. The vulnerability resides in the function chaiscript::Boxed_Number::go within the file boxed_number.hpp. This function handles numeric operations, and due to insufficient input validation or error handling, it can perform a division by zero when manipulated by a local attacker. The attack requires local access with limited privileges and does not require user interaction or elevated rights. The flaw can cause the affected application to crash or behave unpredictably, leading to denial of service. The vulnerability affects ChaiScript versions 6.0 and 6.1.0. Although the issue was responsibly disclosed early, the project has not yet released a patch. Public exploit code is available, increasing the risk of exploitation in environments where ChaiScript is deployed locally. The CVSS 4.0 base score is 4.8, reflecting medium severity due to the limited attack vector and impact scope.
Potential Impact
The primary impact of this vulnerability is denial of service through application crashes caused by divide-by-zero errors. For organizations embedding ChaiScript in their software, this could lead to service interruptions, reduced reliability, and potential disruption of business operations. While the vulnerability does not directly lead to privilege escalation or data compromise, denial of service in critical systems could have cascading effects, especially in embedded or industrial control environments where ChaiScript might be used. Since exploitation requires local access, remote attackers cannot exploit this directly, limiting the threat to insiders or attackers who have already gained some foothold. However, the availability of public exploit code lowers the barrier for attackers with local access to cause disruption.
Mitigation Recommendations
Organizations should monitor for updates from the ChaiScript project and apply patches promptly once available. Until a patch is released, mitigations include restricting local access to systems running vulnerable versions of ChaiScript, enforcing strict access controls and user permissions to limit who can execute or manipulate scripts. Application developers should consider implementing input validation and error handling around numeric operations in their use of ChaiScript to prevent divide-by-zero conditions. Additionally, deploying runtime monitoring and crash detection can help identify exploitation attempts early. If possible, disabling or sandboxing scripting features that use ChaiScript can reduce the attack surface. Finally, conducting code audits and testing for similar numeric vulnerabilities in custom scripts or extensions is recommended.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-02-28T14:23:19.391Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a3e31832ffcdb8a2033ae5
Added to database: 3/1/2026, 6:56:24 AM
Last enriched: 3/9/2026, 1:20:13 AM
Last updated: 4/20/2026, 12:49:12 AM
Views: 118
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.