CVE-2026-3285 Overview
A vulnerability has been identified in berry-lang berry up to version 1.1.0. The affected element is the function scan_string in the file src/be_lexer.c. This manipulation causes an out-of-bounds read condition. The attack requires local access to the system. The exploit has been publicly disclosed and may be utilized. The vulnerability exists in the string scanning functionality of the Berry language interpreter's lexer component.
Critical Impact
An attacker with local access can trigger an out-of-bounds read in the lexer, potentially leading to information disclosure or application crashes when processing maliciously crafted Berry language scripts.
Affected Products
- berry-lang berry version 1.1.0 and earlier
- Berry language interpreter with vulnerable src/be_lexer.c implementation
- Systems running Berry scripts without the security patch applied
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-3285 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-3285
Vulnerability Analysis
This vulnerability is an out-of-bounds read (CWE-125) that occurs within the scan_string function located in src/be_lexer.c. The root issue stems from improper memory safety checks when processing escape sequences in string literals. When the lexer encounters a backslash character within a string, it attempts to read the next character without first verifying that the input hasn't reached the end of the stream (EOS). This can result in reading memory beyond the allocated buffer boundaries, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
The vulnerability requires local access to exploit, meaning an attacker must be able to provide malicious input to the Berry interpreter. This could occur through crafted Berry script files or string inputs processed by the interpreter.
Root Cause
The root cause of this vulnerability is missing boundary validation in the escape sequence handling within the scan_string function. When the lexer processes a string literal and encounters a backslash (\\), it immediately attempts to read the following character without checking if the end of the input stream has been reached. This oversight allows the lexer to read beyond the allocated buffer when processing a string that ends with an unfinished escape sequence.
Attack Vector
The attack vector is local, requiring an attacker to have the ability to provide input to the Berry language interpreter. Exploitation involves:
- Creating a malformed Berry script containing a string literal with an incomplete escape sequence at the end
- Having the vulnerable Berry interpreter parse this malicious input
- The lexer reads beyond buffer boundaries when processing the escape character
The following patch from commit 7149c59a39ba44feca261b12f06089f265fec176 addresses the vulnerability:
while ((c = lgetc(lexer)) != EOS && (c != end)) {
save(lexer);
if (c == '\\') {
+ if (lgetc(lexer) == EOS) { c = EOS; break; }
save(lexer); /* skip '\\.' */
}
}
Source: GitHub Commit Details
The patch adds a critical check to verify that the end of stream hasn't been reached after reading a backslash character, breaking out of the loop safely if EOS is detected.
Detection Methods for CVE-2026-3285
Indicators of Compromise
- Unexpected crashes or segmentation faults in Berry interpreter processes
- Memory access violation errors in system logs related to Berry language execution
- Anomalous behavior when parsing Berry scripts containing unusual escape sequences
Detection Strategies
- Monitor Berry interpreter processes for unexpected termination or memory access violations
- Implement input validation to detect malformed string literals before processing
- Use address sanitizer tools (ASan) during development and testing to identify out-of-bounds reads
Monitoring Recommendations
- Enable logging for Berry interpreter execution to track script processing errors
- Deploy memory safety monitoring tools in environments running Berry language scripts
- Review system logs for segmentation fault patterns associated with lexer operations
How to Mitigate CVE-2026-3285
Immediate Actions Required
- Update berry-lang berry to a version containing patch 7149c59a39ba44feca261b12f06089f265fec176
- Review and audit any Berry scripts from untrusted sources before execution
- Restrict local access to systems running Berry interpreter to trusted users only
Patch Information
A security patch has been released by berry-lang. The fix is available in commit 7149c59a39ba44feca261b12f06089f265fec176. The patch adds proper end-of-stream validation when processing escape sequences in string literals, preventing the out-of-bounds read condition. For detailed patch information, see the GitHub Commit Details and related GitHub Pull Request.
Workarounds
- Restrict execution of Berry scripts to trusted sources only until the patch can be applied
- Implement input sanitization to filter out potentially malicious string patterns before parsing
- Run Berry interpreter processes in sandboxed environments to limit impact of potential exploitation
# Apply the security patch from the official repository
cd /path/to/berry
git fetch origin
git cherry-pick 7149c59a39ba44feca261b12f06089f265fec176
make clean && make
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
