CVE-2026-3384 identifies a vulnerability in the ChaiScript scripting engine, specifically affecting versions 6.0 and 6.1.0. The issue arises from uncontrolled recursion within the evaluation functions chaiscript::eval::AST_Node_Impl::eval and Function_Push_Pop located in the chaiscript_eval.hpp source file. When malicious or malformed input is processed, these functions can enter an infinite or excessively deep recursive loop, leading to stack overflow or resource exhaustion. The vulnerability requires local access with limited privileges (PR:L) and does not need user interaction or elevated privileges. The attack vector is local, meaning remote exploitation is not feasible without prior access. The CVSS 4.8 score reflects a medium severity, primarily due to the limited attack vector and privileges required. The vulnerability can cause denial of service by crashing the host application or degrading its performance. The ChaiScript project was notified early but has not yet released a patch or official fix. No known exploits have been reported in the wild, but public disclosure increases the risk of exploitation attempts. This vulnerability affects any software embedding ChaiScript for scripting, which may include automation tools, embedded systems, or applications requiring runtime script evaluation. Without mitigation, attackers with local access could disrupt services or cause application instability.

The primary impact of CVE-2026-3384 is denial of service through uncontrolled recursion leading to application crashes or resource exhaustion. Organizations embedding ChaiScript in their software may experience instability or outages if exploited locally. While the vulnerability does not allow privilege escalation or remote code execution, the denial of service can disrupt critical workflows, especially in environments relying on scripting for automation or customization. This could affect development environments, embedded devices, or software platforms that use ChaiScript internally. The limited attack vector (local access) reduces the overall risk but does not eliminate it, particularly in multi-user systems or environments where local access is easier to obtain. The absence of a patch increases exposure time, and public disclosure may motivate attackers to develop exploits. Organizations may face operational disruptions and potential reputational damage if the vulnerability is exploited in production systems.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict local access to systems running software with embedded ChaiScript to trusted users only. 2) Employ application-level input validation to detect and prevent malicious or malformed scripts that could trigger recursion. 3) Configure or modify the ChaiScript environment, if possible, to limit recursion depth or execution time to prevent infinite loops. 4) Use sandboxing or containerization to isolate script execution and limit resource consumption. 5) Monitor application logs and system metrics for signs of excessive recursion or resource exhaustion. 6) Engage with the ChaiScript community or maintainers to track patch releases and apply updates promptly once available. 7) Consider alternative scripting engines if immediate mitigation is not feasible and the risk is unacceptable. These steps go beyond generic advice by focusing on controlling script input, limiting recursion, and isolating execution environments.