Description
A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os_strftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is named 0f285855f0e34f9183956be5f16e045f54626bff. To fix this issue, it is recommended to deploy a patch.
Published: 2026-02-09
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Read
Action: Assess Impact
AI Analysis

Impact

An out-of-bounds read vulnerability exists in the os_strftime function of janet-lang's core library. When a specially crafted input is processed, the function performs a read beyond the bounds of an internal buffer, potentially exposing sensitive data from memory. This flaw does not provide direct code execution but can leak confidential information from the local process space. The weakness is identified as a buffer overread, classified under the Common Weakness Enumeration identifiers CWE-119 and CWE-125.

Affected Systems

The affected product is janet-lang:janet, up to and including version 1.40.1. No newer releases are listed as currently patched. All builds of the language that include the vulnerable os_strftime implementation before the referenced commit are subject to this issue.

Risk and Exploitability

The CVSS score for this vulnerability is 4.8, indicating a moderate impact and limited exploitation potential. The EPSS score is below 1 %, implying a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because the attack must be initiated locally and the exploit has already been made public, any adversary with local access to a system running an affected version could perform a memory disclosure. No remote attack vector or elevated privileges are required beyond local execution.

Generated by OpenCVE AI on April 18, 2026 at 13:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch identified by commit 0f285855f0e34f9183956be5f16e045f54626bff, which updates janet-lang to a version containing the fix.
  • If upgrading immediately is not feasible, mitigate the risk by restricting local use of the os_strftime function, such as disabling it in production deployments or implementing input validation that prevents the crafted strings that trigger the out‑of‑bounds read.
  • If neither patching nor disabling the function is possible, compile Janet without the os_strftime implementation or run the interpreter in a sandboxed environment that limits memory access.

Generated by OpenCVE AI on April 18, 2026 at 13:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:janet-lang:janet:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Janet-lang
Janet-lang janet
Vendors & Products Janet-lang
Janet-lang janet

Mon, 09 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os_strftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is named 0f285855f0e34f9183956be5f16e045f54626bff. To fix this issue, it is recommended to deploy a patch.
Title janet-lang janet os.c os_strftime out-of-bounds
Weaknesses CWE-119
CWE-125
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janet-lang Janet
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T10:00:21.668Z

Reserved: 2026-02-09T09:38:29.872Z

Link: CVE-2026-2241

cve-icon Vulnrichment

Updated: 2026-02-09T16:39:18.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T18:16:08.660

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:15:25Z

Weaknesses