CVE-2026-2887 Overview
A security vulnerability has been discovered in the Lobster programming language developed by Strlen (aardappel). The vulnerability affects versions up to 2025.4 and involves an uncontrolled recursion flaw in the lobster::TypeName function within the dev/src/lobster/idents.h library. This vulnerability can lead to denial of service conditions through stack exhaustion when processing maliciously crafted type definitions.
Critical Impact
Local attackers with the ability to execute Lobster code can trigger infinite recursion in the type name resolution function, causing stack exhaustion and application crashes. The exploit has been publicly disclosed.
Affected Products
- Strlen Lobster versions up to 2025.4
- Applications using the lobster::TypeName function in dev/src/lobster/idents.h
- Development environments running vulnerable Lobster interpreter/compiler versions
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-2887 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-2887
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion) and CWE-404 (Improper Resource Shutdown or Release). The flaw exists in the lobster::TypeName function which handles type name resolution and printing. When processing certain type structures, particularly complex or circular type definitions, the function can enter an endless recursive loop without any depth limiting mechanism.
The attack requires local access to execute Lobster code, making it a local exploitation vector. The primary impact is availability degradation through resource exhaustion, as the uncontrolled recursion consumes stack space until the process crashes or the system runs out of stack memory.
Root Cause
The root cause is the absence of a recursion depth limit in the TypeName function signature. The original implementation allowed infinite recursive calls when resolving nested or self-referential type structures. Without a depth counter to track and limit recursion levels, the function could call itself indefinitely when encountering specially crafted type definitions that create circular references.
Attack Vector
The attack vector is local, requiring an attacker to have the ability to execute Lobster scripts or code on the target system. An attacker can craft a malicious Lobster script containing type definitions that trigger the endless recursion in the TypeName function. When the Lobster interpreter processes this script and attempts to resolve or print the type name, it enters the recursive loop, eventually exhausting stack resources and crashing.
The following patch from commit 8ba49f98ccfc9734ef352146806433a41d9f9aa6 demonstrates the fix, which adds a depth tracking parameter:
}
}
-inline string TypeName(UnTypeRef type, bool tuple_brackets = true);
+inline string TypeName(UnTypeRef type, bool tuple_brackets = true, int depth = 0);
struct SymbolTable {
Lex &lex;
Source: GitHub Commit Details
Detection Methods for CVE-2026-2887
Indicators of Compromise
- Lobster interpreter or compiler processes crashing unexpectedly with stack overflow errors
- Sudden increases in memory or stack usage when processing Lobster scripts
- Process termination with segmentation faults or stack exhaustion messages in environments running Lobster code
Detection Strategies
- Monitor for abnormal stack growth or memory consumption in processes executing Lobster code
- Implement process monitoring to detect interpreter crashes with stack-related error signatures
- Review Lobster scripts being processed for unusual or deeply nested type definitions
- Check application logs for recurring crash patterns in Lobster compilation or interpretation workflows
Monitoring Recommendations
- Set up alerts for Lobster process crashes in production environments
- Monitor system resource usage (particularly stack memory) for processes running Lobster code
- Implement logging for type resolution operations in custom Lobster integrations
- Track version information for deployed Lobster installations to identify unpatched instances
How to Mitigate CVE-2026-2887
Immediate Actions Required
- Upgrade Strlen Lobster to version 2026.1 or later which contains the fix
- Review any untrusted Lobster scripts before execution in your environment
- Implement resource limits (ulimit, cgroups) for processes running Lobster code as a defense-in-depth measure
- Monitor systems running older Lobster versions for signs of exploitation until upgrades can be completed
Patch Information
The vulnerability is resolved in Lobster version 2026.1. The fix introduces a depth parameter to the TypeName function to prevent uncontrolled recursion. The security patch is available in commit 8ba49f98ccfc9734ef352146806433a41d9f9aa6.
For detailed patch information, refer to:
Workarounds
- Restrict execution of untrusted Lobster scripts until the patch can be applied
- Implement process isolation and resource limits to contain potential crashes
- Use containerization to limit the blast radius of any denial of service conditions
- Disable or limit access to Lobster compilation/interpretation features in multi-tenant environments
# Configuration example - Apply resource limits to Lobster processes
# Set stack size limit to prevent runaway recursion from exhausting system resources
ulimit -s 8192
# Run Lobster interpreter with limited resources using timeout
timeout --signal=KILL 30s lobster script.lobster
# Alternative: Use cgroups for process resource isolation (Linux)
cgcreate -g memory,cpu:lobster_sandbox
cgset -r memory.limit_in_bytes=512M lobster_sandbox
cgexec -g memory,cpu:lobster_sandbox lobster script.lobster
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
