CVE-2026-3285 in berry
Summary
by MITRE • 02/27/2026
A vulnerability was determined in berry-lang berry up to 1.1.0. The affected element is the function scan_string of the file src/be_lexer.c. This manipulation causes out-of-bounds read. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Patch name: 7149c59a39ba44feca261b12f06089f265fec176. Applying a patch is the recommended action to fix this issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2026-3285 affects the berry-lang berry programming language version 1.1.0 and earlier, specifically targeting the scan_string function within the src/be_lexer.c source file. This issue represents a critical out-of-bounds read condition that can be exploited by attackers with local system access. The vulnerability stems from improper input validation during string parsing operations, where the lexer fails to properly bounds-check array accesses when processing string literals. The affected function processes input tokens and maintains internal buffers for string handling, but lacks adequate boundary verification mechanisms. When malformed or specially crafted input strings are processed through this function, the program attempts to read memory locations beyond the allocated buffer boundaries, potentially exposing sensitive data or causing unpredictable program behavior.
The technical exploitation of this vulnerability requires local access to the system running the berry-lang interpreter, as remote exploitation is not feasible due to the nature of the attack vector. Attackers with local privileges can craft malicious input sequences that trigger the out-of-bounds read condition, potentially leading to information disclosure or denial of service scenarios. The vulnerability manifests when the lexer encounters certain string patterns that cause the scan_string function to access memory locations outside the intended buffer limits. This type of vulnerability falls under CWE-129, which specifically addresses insufficient bounds checking, and represents a classic example of improper input validation in lexical analysis components. The attack technique aligns with ATT&CK tactic TA0005 (Defense Evasion) and technique T1059.007 (Command and Scripting Interpreter: PowerShell) when considering potential post-exploitation activities.
The operational impact of this vulnerability extends beyond simple memory access violations, as it can potentially expose sensitive information stored in adjacent memory locations. The out-of-bounds read may inadvertently reveal stack contents, heap data, or other program variables that could be leveraged for further exploitation. System administrators and developers using berry-lang for scripting or embedded applications face significant risks, particularly in environments where local privilege escalation is possible. The vulnerability affects any application or system that relies on the berry-lang lexer for processing user input, including development tools, embedded systems, or automation scripts. Organizations should consider the broader implications of this vulnerability within their software supply chains, as the berry-lang interpreter may be used in various contexts where security is paramount.
Security mitigation for CVE-2026-3285 requires immediate implementation of the provided patch identified by commit hash 7149c59a39ba44feca261b12f06089f265fec176. The patch addresses the core issue by implementing proper bounds checking within the scan_string function to prevent memory access violations. System administrators should prioritize patch deployment across all systems running berry-lang versions up to 1.1.0, particularly in environments where local access controls are insufficient or where the interpreter is used in security-critical applications. Additionally, organizations should implement monitoring for unusual memory access patterns or unexpected behavior in systems utilizing the berry-lang interpreter. The remediation process should include thorough testing of patched systems to ensure that the vulnerability is fully resolved without introducing regressions in functionality. Regular security assessments and code reviews should be conducted to identify similar potential vulnerabilities in other lexical analysis components within the software ecosystem.