wren-lang, Uncontrolled Recursion, CVE-2026-3385 (MEDIUM)

Listen to this Post

The vulnerability CVE-2026-3385 resides in the `resolveLocal` function within `src/vm/wren_compiler.c` of the wren-lang interpreter, affecting versions up to 0.4.0. The `resolveLocal` function is responsible for resolving local variables in the Wren scripting language during the compilation phase. Due to a lack of proper depth control in its recursive algorithm, providing a specifically crafted script with deeply nested or self-referential local variable declarations causes the function to call itself repeatedly without termination. This uncontrolled recursion quickly exhausts the program’s stack memory, leading to a segmentation fault and a crash of the interpreter, resulting in a denial of service (DoS). The attack is local, requires low privileges, and a public proof-of-concept exploit is available, but the project has not yet responded to the report .

dailycve form:

Platform: wren-lang
Version: up to 0.4.0
Vulnerability : uncontrolled recursion
Severity: MEDIUM (4.8 CVSSv4)
date: 2026-03-01

Prediction: 60 days

What Undercode Say:

Analytics:

Check Wren version:

`wren –version` or check project’s `wren.h`.

Monitor crashes with system logs:

`dmesg | grep wren` or journalctl -xe | grep wren.

Exploit:

Trigger recursion by compiling malicious script.

Proof-of-Concept location:

https://github.com/oneafter/0122/blob/main/i1218/repro`
<h2 style="color: blue;">Core issue in
src/vm/wren_compiler.c:</h2>

// Vulnerable logic pattern in resolveLocal
static int resolveLocal(Compiler compiler, int depth) {
// Lacks proper depth limit check
if (depth > MAX_RECURSION) return -1; // This check is missing
return resolveLocal(compiler, depth + 1); // Uncontrolled recursion
}

<h2 style="color: blue;">Protection from this CVE:</h2>
<h2 style="color: blue;">No official patch; apply resource limits:</h2>
`ulimit -s unlimited` (increase stack) or `ulimit -S -v 500000` (limit memory).
<h2 style="color: blue;">Use sandboxing:</h2>
<h2 style="color: blue;">
firejail –noprofile –rlimit-as=500000 wren exploit.wren`

Rewrite `resolveLocal` to be iterative or include depth checks.

Impact:

Local Denial of Service via application crash; exhausts stack memory; no confidentiality or integrity impact; affects interpreters embedding the vulnerable library .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top