Home

Description

A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. Executing a manipulation can lead to memory corruption. The attack can only be executed locally. The exploit has been published and may be used. This patch is called c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd. It is advisable to implement a patch to correct this issue.

PUBLISHED Reserved 2026-02-09 | Published 2026-02-10 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
1.7AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C

Problem types

Memory Corruption

Product status

2025.0
affected

2025.1
affected

2025.2
affected

2025.3
affected

2025.4
affected

Timeline

2026-02-09:Advisory disclosed
2026-02-09:VulDB entry created
2026-02-18:VulDB entry last update

Credits

Oneafter (VulDB User) reporter

References

vuldb.com/?id.345005 (VDB-345005 | aardappel lobster wfc.h WaveFunctionCollapse memory corruption) vdb-entry technical-description

vuldb.com/?ctiid.345005 (VDB-345005 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.753167 (Submit #753167 | aardappel lobster 2f45fe8 Return of Stack Variable Address) third-party-advisory

github.com/aardappel/lobster/issues/395 issue-tracking

github.com/aardappel/lobster/issues/395 issue-tracking

github.com/oneafter/0204/blob/main/lob1/repro.lobster exploit

github.com/...ommit/c2047a33e1ac2c42ab7e8704b33f7ea518a11ffd patch

github.com/aardappel/lobster/ product

cve.org (CVE-2026-2258)

nvd.nist.gov (CVE-2026-2258)

Download JSON