CVE-2026-3390 identifies a vulnerability in FascinatedBox lily, a software product used up to version 2.3. The vulnerability resides in the patch_line_end function within the src/lily_build_error.c file, part of the error reporting component. The issue is an out-of-bounds read, where the function improperly accesses memory outside the allocated buffer boundaries. This can lead to disclosure of sensitive information from adjacent memory areas. The vulnerability requires local access with limited privileges (PR:L), no user interaction (UI:N), and no elevated authentication, making it exploitable by a local user or process on the affected system. The CVSS 4.8 score reflects a medium severity, indicating moderate impact primarily on confidentiality with limited integrity or availability effects. The exploit is publicly available, increasing the risk of exploitation, although no active exploitation has been reported. The vendor has been notified but has not yet issued a patch or response. The vulnerability affects all versions from 2.0 through 2.3, and the lack of patch links suggests mitigation must currently rely on workarounds or access controls. The vulnerability is confined to local environments, limiting remote attack vectors but posing risks in multi-user or shared systems where untrusted local users exist.

The primary impact of CVE-2026-3390 is unauthorized disclosure of information due to out-of-bounds memory reads. This can allow local attackers to access sensitive data residing in memory adjacent to the buffer, potentially including error messages, internal state, or other confidential information. While the vulnerability does not directly allow code execution or privilege escalation, the leaked information could be leveraged for further attacks or reconnaissance. Organizations running FascinatedBox lily in development, testing, or production environments with multiple local users or untrusted processes are at risk. The local attack requirement reduces the risk for many deployments but is significant in environments such as shared servers, developer workstations, or CI/CD pipelines. The absence of vendor response and patches prolongs exposure. The medium severity rating reflects moderate confidentiality impact with limited scope and no remote exploitation, but the availability of public exploits increases the likelihood of exploitation attempts.

Until an official patch is released, organizations should implement strict local access controls to limit who can execute or interact with FascinatedBox lily, ensuring only trusted users have local system access. Employ sandboxing or containerization to isolate lily processes and minimize memory exposure. Monitor systems for unusual local activity or attempts to exploit the vulnerability using available public exploits. Review and restrict permissions on the lily installation and related files to prevent unauthorized modifications. Consider disabling or restricting the error reporting component if feasible, or apply custom code audits to detect and mitigate out-of-bounds reads. Maintain up-to-date backups and prepare to apply vendor patches promptly once available. Engage with the vendor or community to encourage timely remediation and share threat intelligence. Finally, educate local users about the risks of executing untrusted code or commands on systems running lily.