Description
A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue.
Published: 2026-02-10
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local memory corruption
Action: Apply Patch
AI Analysis

Impact

A flaw in the lobster::Parser::ParseStatements function of aardappel Lobster’s parser component can corrupt memory by handling input size incorrectly. The misuse of a size parameter can overwrite adjacent data structures, leading to undefined behavior within the parser’s process. The vulnerability is a classic memory corruption issue and may be triggered by malicious or malformed input fed to the parser.

Affected Systems

All releases of aardappel Lobster up to and including 2025.4 are affected. The vulnerability is documented in the component dev/src/lobster/parser.h and has been addressed by the commit 2f45fe860d00990e79e13250251c1dde633f1f89. Only versions distributed by the aardappel:lobster vendor before this patch are impacted.

Risk and Exploitability

The CVSS score of 4.8 signifies moderate severity, and the EPSS score indicates a very low probability of exploitation (less than 1%). The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to the system running the parser; there is no known remote attack vector. If successful, the memory corruption could allow an attacker to execute arbitrary code within the context of the local process that owns the parser.

Generated by OpenCVE AI on April 18, 2026 at 12:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch corresponding to commit 2f45fe860d00990e79e13250251c1dde633f1f89 to update the parser library
  • Upgrade to a version of aardappel Lobster that includes the patch, such as 2025.5 or newer
  • If a patch cannot be applied immediately, restrict the use of ParseStatements to trusted input or disable its invocation for untrusted data to mitigate exploitation risk

Generated by OpenCVE AI on April 18, 2026 at 12:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Strlen
Strlen lobster
Weaknesses CWE-787
CPEs cpe:2.3:a:strlen:lobster:*:*:*:*:*:*:*:*
Vendors & Products Strlen
Strlen lobster

Tue, 10 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Aardappel
Aardappel lobster
Vendors & Products Aardappel
Aardappel lobster

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. The manipulation leads to memory corruption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2f45fe860d00990e79e13250251c1dde633f1f89. Applying a patch is the recommended action to fix this issue.
Title aardappel lobster Parsing parser.h ParseStatements memory corruption
Weaknesses CWE-119
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aardappel Lobster
Strlen Lobster
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:01:39.324Z

Reserved: 2026-02-09T16:56:09.456Z

Link: CVE-2026-2259

cve-icon Vulnrichment

Updated: 2026-02-10T20:19:21.966Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:05.433

Modified: 2026-02-17T15:08:39.840

Link: CVE-2026-2259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:00:08Z

Weaknesses