CVE-2026-3383 identifies a divide-by-zero vulnerability in ChaiScript, an embedded scripting language for C++. The flaw exists in the chaiscript::Boxed_Number::go function within the dispatchkit/boxed_number.hpp source file. When manipulated by a local attacker, this vulnerability can cause the application to perform a division by zero, leading to undefined behavior such as crashes or denial of service. The vulnerability affects ChaiScript versions 6.0 and 6.1.0. Exploitation requires local access with low privileges and does not require user interaction or elevated privileges. The vulnerability was responsibly disclosed to the ChaiScript project, but no patch has been released yet. The CVSS 4.0 score is 4.8 (medium severity), reflecting limited impact scope and the requirement for local access. No known exploits in the wild have been reported, but proof-of-concept code is publicly available, increasing the risk of exploitation. This vulnerability primarily threatens applications embedding ChaiScript for scripting capabilities, potentially impacting their stability and availability.

The primary impact of this vulnerability is on the availability and stability of applications embedding vulnerable versions of ChaiScript. A successful local attacker can cause a divide-by-zero error, leading to application crashes or denial of service conditions. This can disrupt critical workflows or services relying on embedded scripting. Since exploitation requires local access, remote compromise is unlikely without prior foothold. However, in multi-user environments or systems where untrusted users have local access, this vulnerability could be leveraged to disrupt operations or escalate denial of service attacks. There is no indication that confidentiality or integrity is directly affected. The lack of a patch increases risk for organizations that rely on affected versions, especially those in development, testing, or production environments where ChaiScript is embedded.

1. Immediately audit all systems and applications embedding ChaiScript versions 6.0 or 6.1.0 to identify vulnerable instances. 2. Restrict local access to trusted users only, minimizing the risk of exploitation by unprivileged users. 3. Implement application-level input validation or sandboxing to prevent untrusted scripts from triggering the divide-by-zero condition. 4. Monitor application logs and system stability for signs of crashes or abnormal behavior indicative of exploitation attempts. 5. Engage with the ChaiScript development community to track patch releases or security advisories addressing this vulnerability. 6. Consider recompiling or modifying the source code to add checks preventing division by zero in the affected function if immediate patching is not available. 7. Employ host-based intrusion detection systems (HIDS) to detect anomalous local activity that could indicate exploitation attempts. 8. For critical systems, isolate or containerize applications using ChaiScript to limit the blast radius of potential crashes.