Nixpkgs security tracker

Untriaged

Permalink CVE-2026-2887

3.3 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months ago Activity log

Created suggestion 2 months ago

aardappel lobster idents.h TypeName recursion

A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.

References

VDB-347181 | aardappel lobster idents.h TypeName recursion vdb-entrytechnical-description
VDB-347181 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #755026 | aardappel lobster c8a6042 Uncontrolled Recursion third-party-advisory
https://github.com/aardappel/lobster/issues/397 issue-tracking
https://github.com/aardappel/lobster/issues/397#issuecomment-3849015088 issue-tracking
https://github.com/oneafter/0204/blob/main/lob3/repro.lobster exploit
https://github.com/aardappel/lobster/commit/8ba49f98ccfc9734ef352146806433a41d9… patch
https://github.com/aardappel/lobster/releases/tag/v2026.1 patch
https://github.com/aardappel/lobster/ product

Affected products

lobster

==2026.1
==2025.0
==2025.1
==2025.2
==2025.3
==2025.4

Matching in nixpkgs

pkgs.lobster

Lobster programming language

nixos-unstable 2025.3
- nixpkgs-unstable 2025.3
- nixos-unstable-small 2025.3
nixos-25.11 2025.3
- nixos-25.11-small 2025.3
- nixpkgs-25.11-darwin 2025.3

Package maintainers

@fgaz Francesco Gazzetta <fgaz@fgaz.me>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.lobster

Package maintainers