Description
A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal_one_fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d9b1d711ea1fde52ac73a82088b512a3e17bad0d. A patch should be applied to remediate this issue.
Published: 2026-06-01
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow in the unmarshal_one_fiber function of janet‑lang Janet allows an attacker who can execute code on the local host to manipulate the internal state of the interpreter. The overflow can corrupt memory or cause the interpreter to behave unpredictably, potentially leading to denial of service or more severe corruption depending on the context.

Affected Systems

Janet language implementations up to version 1.41.0 are affected. The issue originates in src/core/marsh.c and is present in all builds that include that commit before the patch.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched only on the local host, and public proof‑of‑concept code has been released. The risk is therefore limited to environments where arbitrary Janet code can be executed by a local attacker.

Generated by OpenCVE AI on June 1, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Janet installation to a version that includes commit d9b1d711ea1fde52ac73a82088b512a3e17bad0d or later.
  • If an upgrade cannot be performed immediately, run Janet instances inside a virtual machine or container to isolate local execution from critical system components.
  • Restrict the use of untrusted Janet scripts to trusted users only and avoid installing or running unverified code on the affected host.

Generated by OpenCVE AI on June 1, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal_one_fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d9b1d711ea1fde52ac73a82088b512a3e17bad0d. A patch should be applied to remediate this issue.
Title janet-lang janet marsh.c unmarshal_one_fiber integer overflow
First Time appeared Janet-lang
Janet-lang janet
Weaknesses CWE-189
CWE-190
CPEs cpe:2.3:a:janet-lang:janet:*:*:*:*:*:*:*:*
Vendors & Products Janet-lang
Janet-lang janet
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janet-lang Janet
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-01T17:50:51.836Z

Reserved: 2026-05-31T14:06:38.539Z

Link: CVE-2026-10268

cve-icon Vulnrichment

Updated: 2026-06-01T17:46:34.088Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:16:42.897

Modified: 2026-06-01T17:57:16.380

Link: CVE-2026-10268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T18:30:06Z

Weaknesses