Description
A security flaw has been discovered in janet-lang janet up to 1.41.0. This affects the function doframe of the file src/core/debug.c. Performing a manipulation results in out-of-bounds read. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named ed17dd2c5913a23fb1107251e44a9410a3c30cf5.
Published: 2026-06-01
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the `doframe` function within Janet's `debug.c` and permits an out-of-bounds read. An attacker can manipulate the function with locally executed code to read memory that should not be accessible, potentially leaking sensitive data. This flaw is classified under CWE-119 (Buffer Copy without Checking Size) and CWE-125 (Out-Of-Bounds Read).

Affected Systems

Janet language interpreter (janet-lang:janet) versions up to and including 1.41.0 are affected. The issue impacts all installations running these releases, regardless of operating system, as the flaw is in the core interpreter code.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. EPSS data is currently unavailable, and the vulnerability is not listed in CISA's KEV catalog. Since the exploit requires local execution, it is most relevant to environments where untrusted code may run on the same system. The public exploit has been released, though no known widespread exploitation is reported as of the data provided.

Generated by OpenCVE AI on June 1, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Janet to a patched version that includes commit ed17dd2c5913a23fb1107251e44a9410a3c30cf5 or newer
  • If an update is not immediately possible, limit the execution of untrusted Janet scripts and run them in isolated containers
  • As a temporary workaround, disable or remove the `debug.c` module to eliminate the vulnerable `doframe` functionality

Generated by OpenCVE AI on June 1, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in janet-lang janet up to 1.41.0. This affects the function doframe of the file src/core/debug.c. Performing a manipulation results in out-of-bounds read. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named ed17dd2c5913a23fb1107251e44a9410a3c30cf5.
Title janet-lang janet debug.c doframe out-of-bounds
First Time appeared Janet-lang
Janet-lang janet
Weaknesses CWE-119
CWE-125
CPEs cpe:2.3:a:janet-lang:janet:*:*:*:*:*:*:*:*
Vendors & Products Janet-lang
Janet-lang janet
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janet-lang Janet
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T15:03:01.251Z

Reserved: 2026-05-31T14:06:36.144Z

Link: CVE-2026-10267

cve-icon Vulnrichment

Updated: 2026-06-01T15:02:57.803Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T15:16:33.203

Modified: 2026-06-01T16:41:55.090

Link: CVE-2026-10267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T17:30:15Z

Weaknesses