CVE-2026-3384 identifies a vulnerability in the ChaiScript scripting engine, specifically affecting versions 6.0 and 6.1.0. The issue resides in the evaluation logic within the source file chaiscript_eval.hpp, notably in the functions chaiscript::eval::AST_Node_Impl::eval and chaiscript::eval::Function_Push_Pop. These functions handle the execution of abstract syntax tree nodes and function call stack management, respectively. The vulnerability manifests as uncontrolled recursion triggered by crafted input or script code, which causes the interpreter to enter a recursive loop without proper termination conditions. This uncontrolled recursion can lead to stack overflow or exhaustion of system resources, resulting in denial of service (DoS) conditions. The attack vector is local, requiring an attacker to have some level of local access and privileges to execute malicious scripts or inputs. No authentication bypass or remote exploitation is indicated. The vulnerability was responsibly disclosed early to the ChaiScript project, but no patch or official fix has been released as of the publication date. The CVSS 4.0 vector indicates low attack complexity, local attack vector, and limited privileges required, with no user interaction or confidentiality/integrity impact, culminating in a medium severity rating with a base score of 4.8. There are no known exploits in the wild yet, but public disclosure increases the risk of exploitation attempts.

The primary impact of CVE-2026-3384 is denial of service through resource exhaustion caused by uncontrolled recursion in the ChaiScript interpreter. Organizations embedding ChaiScript in their applications or using it for local scripting could experience application crashes or degraded performance, potentially disrupting critical workflows or services. Since the attack requires local access and limited privileges, the threat is more relevant in environments where multiple users share access or where untrusted code execution is possible. Confidentiality and integrity impacts are minimal or nonexistent, but availability degradation can affect operational continuity. Systems relying heavily on ChaiScript for automation, configuration, or embedded scripting in industrial, IoT, or development environments are at higher risk. The lack of an official patch increases exposure time, and public exploit disclosure may lead to increased attempts to leverage this vulnerability.

To mitigate CVE-2026-3384, organizations should first assess whether they use affected versions of ChaiScript (6.0 or 6.1.0) in their environments. Since no official patch is available, consider the following specific actions: 1) Restrict local access to systems running ChaiScript to trusted users only, minimizing the risk of local exploitation. 2) Implement strict input validation and sanitization on scripts or data processed by ChaiScript to prevent malicious recursive constructs. 3) Introduce resource limits such as maximum recursion depth or execution timeouts within the scripting environment or host application to prevent runaway recursion. 4) If feasible, disable or sandbox scripting capabilities where untrusted code execution is possible. 5) Monitor logs and system behavior for signs of excessive recursion or resource exhaustion. 6) Engage with the ChaiScript community or maintainers for updates or unofficial patches. 7) Consider upgrading to future versions once a fix is released. These targeted mitigations go beyond generic advice by focusing on controlling recursion and limiting local attack surfaces.