Home

Description

A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.

PUBLISHED Reserved 2026-02-20 | Published 2026-02-21 | Updated 2026-02-21 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
LOW: 3.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
LOW: 3.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
1.7AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C

Problem types

Uncontrolled Recursion

Denial of Service

Product status

2025.0
affected

2025.1
affected

2025.2
affected

2025.3
affected

2025.4
affected

2026.1
unaffected

Timeline

2026-02-20:Advisory disclosed
2026-02-20:VulDB entry created
2026-02-20:VulDB entry last update

Credits

Oneafter (VulDB User) reporter

References

vuldb.com/?id.347181 (VDB-347181 | aardappel lobster idents.h TypeName recursion) vdb-entry technical-description

vuldb.com/?ctiid.347181 (VDB-347181 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.755026 (Submit #755026 | aardappel lobster c8a6042 Uncontrolled Recursion) third-party-advisory

github.com/aardappel/lobster/issues/397 issue-tracking

github.com/aardappel/lobster/issues/397 issue-tracking

github.com/oneafter/0204/blob/main/lob3/repro.lobster exploit

github.com/...ommit/8ba49f98ccfc9734ef352146806433a41d9f9aa6 patch

github.com/aardappel/lobster/releases/tag/v2026.1 patch

github.com/aardappel/lobster/ product

cve.org (CVE-2026-2887)

nvd.nist.gov (CVE-2026-2887)

Download JSON