CVE-2026-3390 identifies a vulnerability in FascinatedBox lily, an open-source or proprietary software product, affecting versions 2.0 through 2.3. The vulnerability resides in the patch_line_end function of the src/lily_build_error.c file, part of the error reporting component. The issue is an out-of-bounds read, meaning the function reads memory outside the allocated buffer boundaries, which can lead to disclosure of sensitive information or cause application instability. The attack vector is local, requiring the attacker to have limited privileges on the system, and no user interaction is necessary to trigger the flaw. The CVSS 4.0 vector indicates low attack complexity and no privileges required beyond local access, with no impact on confidentiality, integrity, or availability beyond limited local information disclosure. The vulnerability was responsibly disclosed early, but the vendor has not yet issued a patch or response. A public exploit is available, increasing the risk of exploitation in environments where local access is possible. The vulnerability does not affect remote attackers directly and does not require elevated privileges, but the local read could be leveraged in multi-user systems or shared environments to gain unauthorized information.

The primary impact of CVE-2026-3390 is limited local information disclosure due to out-of-bounds memory reads. While this does not directly allow remote code execution or privilege escalation, it can expose sensitive data stored in adjacent memory, potentially including error messages, internal state, or other confidential information. In multi-user or shared environments, attackers with local access could exploit this flaw to gather intelligence that may facilitate further attacks. The vulnerability does not affect system availability or integrity directly but could undermine trust in the software's error reporting mechanism. Since exploitation requires local access, the threat is mainly relevant in environments where untrusted users have some system access, such as shared servers, development machines, or compromised user accounts. The availability of a public exploit increases the likelihood of opportunistic attacks in such contexts. Organizations relying on FascinatedBox lily for critical applications should consider the risk of information leakage and potential indirect consequences.

To mitigate CVE-2026-3390, organizations should first restrict local access to systems running affected versions of FascinatedBox lily, ensuring only trusted users have login privileges. Implement strict user account controls and monitor for unusual local activity that might indicate exploitation attempts. Since no official patch is currently available, consider applying temporary code-level mitigations such as input validation or bounds checking in the patch_line_end function if source code access and development resources permit. Employ runtime protections like memory safety tools (e.g., AddressSanitizer) during development and testing to detect out-of-bounds reads. Regularly audit error reporting outputs to ensure no sensitive data is exposed. Stay alert for vendor updates or community patches and plan for prompt application once released. Additionally, isolate systems running this software in segmented network zones to limit lateral movement if local compromise occurs.