CVE-2026-3384 Overview
A security vulnerability has been identified in ChaiScript, an embedded scripting language for C++, affecting versions up to and including 6.1.0. This vulnerability exists in the chaiscript::eval::AST_Node_Impl::eval and chaiscript::eval::Function_Push_Pop functions within the file include/chaiscript/language/chaiscript_eval.hpp. The flaw allows for uncontrolled recursion, which can be exploited to cause a denial of service condition through resource exhaustion.
Critical Impact
Local attackers with low privileges can trigger uncontrolled recursion leading to stack exhaustion and application crash, causing denial of service for applications embedding ChaiScript.
Affected Products
- ChaiScript versions up to and including 6.1.0
- Applications embedding ChaiScript scripting engine
- C++ projects utilizing ChaiScript for embedded scripting functionality
Discovery Timeline
- 2026-03-01 - CVE-2026-3384 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-3384
Vulnerability Analysis
This vulnerability is classified as an uncontrolled recursion issue (CWE-404: Improper Resource Shutdown or Release). The vulnerability resides in the AST (Abstract Syntax Tree) evaluation logic within ChaiScript's core evaluation engine. When processing certain maliciously crafted scripts, the evaluation functions fail to properly limit recursion depth, allowing an attacker to construct input that triggers deeply nested function calls.
The affected code path involves the AST_Node_Impl::eval method and the Function_Push_Pop helper class in chaiscript_eval.hpp. These components are responsible for traversing and evaluating the parsed script's AST representation. Without proper recursion bounds checking, deeply nested or circular script constructs can cause the call stack to grow unboundedly until stack memory is exhausted.
The attack requires local access to the system running an application that embeds ChaiScript, and the attacker must be able to provide malicious script input to the ChaiScript interpreter. While this limits the attack surface compared to remote vulnerabilities, applications that accept user-provided scripts for evaluation are at risk.
Root Cause
The root cause of this vulnerability is the absence of adequate recursion depth limits in the AST evaluation logic. The chaiscript::eval::AST_Node_Impl::eval function recursively processes AST nodes without implementing a maximum depth counter or guard mechanism. This allows malicious or malformed scripts containing deeply nested expressions, recursive function definitions, or circular reference patterns to exhaust stack resources.
Attack Vector
The attack vector is local, requiring an attacker to have access to provide script input to an application using ChaiScript. The attacker constructs a script designed to trigger excessive recursion in the evaluation engine. This could involve:
- Deeply nested function calls or expressions
- Self-referential or mutually recursive constructs
- Pathological AST structures that maximize recursion depth
When the vulnerable ChaiScript interpreter attempts to evaluate such a script, the uncontrolled recursion leads to stack exhaustion, causing the host application to crash or become unresponsive. The exploit has been publicly disclosed through GitHub Issue #633, increasing the risk of exploitation.
The vulnerability mechanism involves the recursive traversal of AST nodes during script evaluation. When maliciously crafted input creates an extremely deep or circular AST structure, each level of recursion consumes stack space. Without depth limiting, this eventually exceeds available stack memory, triggering a stack overflow condition. Technical details regarding the specific exploitation mechanism can be found in the public issue report.
Detection Methods for CVE-2026-3384
Indicators of Compromise
- Unexpected application crashes with stack overflow errors in processes using ChaiScript
- Abnormally large or deeply nested script files being processed by ChaiScript-enabled applications
- Core dumps or crash logs indicating stack exhaustion in chaiscript_eval.hpp related functions
Detection Strategies
- Monitor for application crashes with stack traces containing chaiscript::eval::AST_Node_Impl::eval or chaiscript::eval::Function_Push_Pop
- Implement runtime monitoring for abnormal stack usage in applications embedding ChaiScript
- Analyze script inputs for suspicious nesting depth or recursive patterns before evaluation
Monitoring Recommendations
- Enable crash reporting and analysis for applications using ChaiScript to identify potential exploitation attempts
- Log and audit all script inputs provided to ChaiScript interpreters, particularly from untrusted sources
- Set up resource usage alerts for abnormal memory or stack consumption patterns
How to Mitigate CVE-2026-3384
Immediate Actions Required
- Evaluate whether your applications use ChaiScript version 6.1.0 or earlier and assess exposure to untrusted script input
- Restrict script execution capabilities to trusted users or sources where possible
- Implement application-level recursion or resource limits before passing scripts to ChaiScript
- Consider sandboxing ChaiScript execution to contain potential denial of service impacts
Patch Information
At the time of publication, the ChaiScript project has been notified of this vulnerability through GitHub Issue #633 but has not yet released an official patch. Organizations using ChaiScript should monitor the ChaiScript GitHub repository for security updates. Additional vulnerability details are available through VulDB #348270.
Workarounds
- Implement input validation to reject scripts exceeding a reasonable complexity or nesting threshold before ChaiScript evaluation
- Apply operating system-level stack size limits to contain the impact of uncontrolled recursion
- Isolate ChaiScript execution in separate processes with resource limits to prevent crashes from affecting the main application
- Disable or restrict ChaiScript functionality in production environments where untrusted input may be processed
# Example: Limit stack size for ChaiScript-enabled applications (Linux)
ulimit -s 8192 # Set stack size limit to 8MB
./chaiscript_application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
