CVE-2026-3385 - Vulnerability Details

- wren-lang wren wren_compiler.c resolveLocal recursion

Description

A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-03-01

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue occurs in the resolveLocal routine of Wren’s compiler and allows a local attacker to trigger uncontrolled recursion. The recursion can exhaust stack or heap resources, resulting in a crash or unresponsive state of the compiling process or the entire host application. The weakness is a classic uncontrolled recursion flaw, reflected in the CWE-674 identifier. No remote execution is possible; the attacker must have local code execution capability to trigger the effect.

Affected Systems

The vulnerability is present in all Wren releases up to and including 0.4.0. No specific sub‑version range is listed beyond the upper bound, and the CVE catalog identifies the vendor as wren-lang and the product as Wren.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, while the EPSS score of less than 1% signals that public exploitation is currently unlikely. The vulnerability is not in the CISA KEV list. Attacking requires local exploitation, so the attack surface is restricted to insiders or compromised local accounts. A local attacker that can invoke the Wren compiler can force a denial of service by exhausting resources, but no privacy or integrity impact would normally result unless the attacker can influence other processes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wren-lang

wren

affected

Version	Status	Constraints
`0.1`	affected	—
`0.2`	affected	—
`0.3`	affected	—
`0.4.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wren:wren:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wren-lang

Wren

100%

Version	Status	Scheme	Platform
`0.1`	affected	generic	—
`0.2`	affected	generic	—
`0.3`	affected	generic	—
`0.4.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest release of Wren that contains the resolveLocal fix; if a fixed version is unavailable, plan a migration path to a patched build.
If upgrading is not immediately possible, implement a runtime recursion depth limit in the compiler or employ static analysis tools to detect and flag vulnerable code paths.
Restrict local execution of the Wren compiler to trusted users or isolate it in a sandboxed environment to reduce the risk that an attacker can trigger the recursion.

Generated by OpenCVE AI on April 17, 2026 at 13:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/oneafter/0122/blob/main/i1218/repro
https://github.com/wren-lang/wren/
https://github.com/wren-lang/wren/issues/1218
https://vuldb.com/?ctiid.348271
https://vuldb.com/?id.348271
https://vuldb.com/?submit.761305

History

Tue, 10 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wren Wren wren
CPEs		cpe:2.3:a:wren:wren::::::::
Vendors & Products		Wren Wren wren

Mon, 02 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wren-lang Wren-lang wren
Vendors & Products		Wren-lang Wren-lang wren

Sun, 01 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in wren-lang wren up to 0.4.0. Affected is the function resolveLocal of the file src/vm/wren_compiler.c. The manipulation results in uncontrolled recursion. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		wren-lang wren wren_compiler.c resolveLocal recursion
Weaknesses		CWE-404 CWE-674
References		https://github.com/oneafter/0122/blob/main/i1218/repro https://github.com/wren-lang/wren/ https://github.com/wren-lang/wren/issues/1218 https://vuldb.com/?ctiid.348271 https://vuldb.com/?id.348271 https://vuldb.com/?submit.761305
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Wren Wren

Wren-lang Wren

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-01T08:32:09.182Z

Updated: 2026-03-02T19:34:14.330Z

Reserved: 2026-02-28T14:49:52.976Z

Link: CVE-2026-3385

Vulnrichment

Updated: 2026-03-02T19:34:10.586Z

NVD

Status : Analyzed

Published: 2026-03-01T09:15:57.040

Modified: 2026-03-10T14:24:15.070

Link: CVE-2026-3385

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object