CVE-2026-3391 is a security vulnerability identified in FascinatedBox lily versions 2.0 through 2.3, involving an out-of-bounds read in the clear_storages function located in the source file src/lily_emitter.c. This vulnerability arises when the function improperly handles memory boundaries, allowing an attacker with local access to read data outside the allocated memory buffer. Such out-of-bounds reads can lead to unauthorized disclosure of sensitive information residing in adjacent memory regions, potentially including cryptographic keys, passwords, or other critical data. The attack vector requires the attacker to have local access with low privileges, and no user interaction or elevated privileges are necessary beyond that. The vulnerability does not affect confidentiality, integrity, or availability directly but poses a risk of information leakage. The CVSS v4.0 score of 4.8 reflects a medium severity, considering the limited attack vector (local access) and the absence of privilege escalation or remote exploitation. The vulnerability was responsibly disclosed to the FascinatedBox project, but no patch or official response has been provided as of the publication date. A public exploit is available, increasing the risk of exploitation by local attackers. No known exploits in the wild have been reported so far. This vulnerability highlights the importance of secure memory handling in software components and the risks posed by local attackers in multi-user environments.

The primary impact of CVE-2026-3391 is the potential unauthorized disclosure of sensitive information due to out-of-bounds memory reads. For organizations using FascinatedBox lily, this could lead to leakage of confidential data stored in memory, which might include credentials, cryptographic material, or other sensitive runtime information. Although the attack requires local access with low privileges, in environments where multiple users share systems or where attackers can gain limited local access (e.g., through compromised accounts or insider threats), this vulnerability could be leveraged to escalate information gathering. The lack of vendor response and patch increases the risk exposure. However, since the vulnerability does not allow remote exploitation or privilege escalation, the overall impact is contained but still significant in sensitive or multi-tenant environments. The availability and integrity of the system are not directly affected, but the confidentiality breach could facilitate further attacks or data exfiltration. Organizations with strict data confidentiality requirements or those operating in regulated industries should consider this vulnerability a moderate risk.

To mitigate CVE-2026-3391 effectively, organizations should implement strict local access controls to limit who can execute or interact with FascinatedBox lily binaries, especially the vulnerable versions 2.0 to 2.3. Employing mandatory access controls (e.g., SELinux, AppArmor) to restrict the process's memory access and user permissions can reduce exploitation risk. Monitoring and logging local user activity around the lily application can help detect suspicious behavior indicative of exploitation attempts. If possible, isolate systems running FascinatedBox lily to trusted users only and avoid multi-user environments where untrusted users have local access. Until an official patch is released, consider recompiling the software with added bounds checking or applying community-developed patches if available. Regularly check for vendor updates or security advisories. Additionally, conduct memory analysis and audits to detect abnormal memory access patterns. Employ endpoint detection and response (EDR) solutions that can alert on unusual local process behaviors. Finally, educate users about the risks of local exploitation and enforce strong authentication and session management to prevent unauthorized local access.