Description
A flaw has been found in wren-lang wren up to 0.4.0. Affected by this vulnerability is the function emitOp of the file src/vm/wren_compiler.c. This manipulation causes out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-03-01
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Disclosure
Action: Upgrade
AI Analysis

Impact

The vulnerability is an out-of-bounds read in the emitOp function of the Wren compiler, which can expose internal memory contents and potentially allow local attackers to read unintended data, a classic buffer access flaw (CWE-119/CWE-125).

Affected Systems

The issue affects the Wren language compiler supplied by wren-lang and applies to all releases up to version 0.4.0; the problem resides in src/vm/wren_compiler.c and has been reported against the official GitHub repository.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate risk while the EPSS score of under 1% reflects a very low exploitation probability; the vulnerability is not listed in the CISA KEV catalog and can only be leveraged from the local host, with a published exploit available in the public domain.

Generated by OpenCVE AI on April 16, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wren to a version that patches the emitOp bounds check (for example, a release newer than 0.4.0).
  • Until a patch lands, isolate the compilation environment by restricting file and network access for the compiler process and limiting execution privileges.
  • Monitor the system for irregular memory accesses or suspicious compiler execution patterns, and consider disabling Wren compilation features if they are not required.

Generated by OpenCVE AI on April 16, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Wren
Wren wren
CPEs cpe:2.3:a:wren:wren:*:*:*:*:*:*:*:*
Vendors & Products Wren
Wren wren

Mon, 02 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wren-lang
Wren-lang wren
Vendors & Products Wren-lang
Wren-lang wren

Sun, 01 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in wren-lang wren up to 0.4.0. Affected by this vulnerability is the function emitOp of the file src/vm/wren_compiler.c. This manipulation causes out-of-bounds read. It is possible to launch the attack on the local host. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title wren-lang wren wren_compiler.c emitOp out-of-bounds
Weaknesses CWE-119
CWE-125
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Wren Wren
Wren-lang Wren
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-02T19:34:45.550Z

Reserved: 2026-02-28T14:49:56.558Z

Link: CVE-2026-3386

cve-icon Vulnrichment

Updated: 2026-03-02T19:34:40.549Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-01T09:15:58.147

Modified: 2026-03-05T01:53:18.290

Link: CVE-2026-3386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:00:14Z

Weaknesses