Description
A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been published and may be used. This patch is called c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. It is advisable to implement a patch to correct this issue.
Published: 2026-02-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Memory Corruption
Action: Patch
AI Analysis

Impact

The vulnerability exists in the WaveFunctionCollapse function of the aardappel lobster library, where improper bounds handling can corrupt memory. This flaw allows an attacker with local access to overwrite memory addresses, potentially leading to crashes, data corruption, or in some scenarios, local privilege escalation. The weakness is identified as a buffer over-read and an out‑of‑bounds write (CWE‑119 and CWE‑787).

Affected Systems

The issue affects the aardappel lobster product, specifically any version of the library prior to the 2025.4 release. The affected component is the file dev/src/lobster/wfc.h within the lobster source tree.

Risk and Exploitability

With a CVSS score of 4.8 the severity is moderate and the EPSS score is below 1%, indicating a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited threat. The attack vector is inferred to be local only, as the exploit requires execution of the vulnerable function within the local process. An attacker who can run code on the system may trigger memory corruption through crafted input, leading to denial of service or potential escalation if the corrupted memory can be leveraged to execute arbitrary code.

Generated by OpenCVE AI on April 18, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aardappel lobster to a version that includes commit c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd or later.
  • If an immediate update cannot be applied, deploy the application in a sandbox or container, enforce least privilege, and limit untrusted input to the WaveFunctionCollapse function.
  • When building or executing lobster, enable compiler runtime protections such as stack smashing protection, address sanitizer, or hardware features like ASLR and DEP to reduce exploitation risk.

Generated by OpenCVE AI on April 18, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Strlen
Strlen lobster
Weaknesses CWE-787
CPEs cpe:2.3:a:strlen:lobster:*:*:*:*:*:*:*:*
Vendors & Products Strlen
Strlen lobster

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Aardappel
Aardappel lobster
Vendors & Products Aardappel
Aardappel lobster

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been published and may be used. This patch is called c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. It is advisable to implement a patch to correct this issue.
Title aardappel lobster wfc.h WaveFunctionCollapse memory corruption
Weaknesses CWE-119
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aardappel Lobster
Strlen Lobster
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:01:24.187Z

Reserved: 2026-02-09T16:54:12.927Z

Link: CVE-2026-2258

cve-icon Vulnrichment

Updated: 2026-02-10T16:42:32.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T00:16:06.523

Modified: 2026-02-17T16:12:27.633

Link: CVE-2026-2258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses