CVE-2026-2242 - Vulnerability Details

- janet-lang janet specials.c janetc_if out-of-bounds

Description

A vulnerability was determined in janet-lang janet up to 1.40.1. This impacts the function janetc_if of the file src/core/specials.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called c43e06672cd9dacf2122c99f362120a17c34b391. It is advisable to implement a patch to correct this issue.

Published: 2026-02-09

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the janetc_if function of the Janet language interpreter allows a crafted input to trigger an out-of-bounds read. The entry confirms the existence of the read vulnerability but does not detail which data may be exposed; it merely states that a manipulation can lead beyond intended boundaries. Based on the nature of an out-of-bounds read, it is inferred that an attacker could potentially read sensitive memory contents, but this information disclosure is not explicitly documented in the CVE entry.

Affected Systems

All releases of the Janet language interpreter up to version 1.40.1 are affected, including the core library’s specials.c module. The patch identified by commit c43e06672cd9dacf2122c99f362120a17c34b391 resolves this issue. Users should verify that their installed interpreter is not older than 1.40.1 and update accordingly.

Risk and Exploitability

The CVSS base score of 4.8 indicates moderate severity, while the EPSS score of less than 1% signifies a low probability of exploitation. The vulnerability is only exploitable locally, requiring the attacker to run code on the same system that executes Janet. It is not listed on the CISA KEV catalog, further limiting its exposure. Overall, the risk is moderate but confined to local environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

janet-lang

janet

affected

Version	Status	Constraints
`1.40.0`	affected	—
`1.40.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:janet-lang:janet:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Janet-lang

Janet

—

Version	Status	Scheme	Platform
`1.40.0`	affected	semver	—
`1.40.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest Janet release that includes the fix or apply the patch from commit c43e06672cd9dacf2122c99f362120a17c34b391.
If building from source, rebuild the binary after applying the patch to ensure the corrected code is used.
Restart any services or applications that invoke the Janet interpreter to load the patched version.

Generated by OpenCVE AI on April 18, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/janet-lang/janet/
https://github.com/janet-lang/janet/commit/c43e06672cd9dacf2122c99f362120a17c34b391
https://github.com/janet-lang/janet/issues/1700
https://github.com/janet-lang/janet/issues/1702
https://github.com/oneafter/0123/blob/main/ja2/repro
https://vuldb.com/?ctiid.344981
https://vuldb.com/?id.344981
https://vuldb.com/?submit.754495

History

Wed, 25 Feb 2026 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:janet-lang:janet::::::::

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Janet-lang Janet-lang janet
Vendors & Products		Janet-lang Janet-lang janet

Mon, 09 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in janet-lang janet up to 1.40.1. This impacts the function janetc_if of the file src/core/specials.c. Executing a manipulation can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called c43e06672cd9dacf2122c99f362120a17c34b391. It is advisable to implement a patch to correct this issue.
Title		janet-lang janet specials.c janetc_if out-of-bounds
Weaknesses		CWE-119 CWE-125
References		https://github.com/janet-lang/janet/ https://github.com/janet-lang/janet/commit/c43e06672cd9dacf2122c99f362120a17c34b391 https://github.com/janet-lang/janet/issues/1700 https://github.com/janet-lang/janet/issues/1702 https://github.com/oneafter/0123/blob/main/ja2/repro https://vuldb.com/?ctiid.344981 https://vuldb.com/?id.344981 https://vuldb.com/?submit.754495
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Janet-lang Janet

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-09T17:02:09.705Z

Updated: 2026-02-23T10:00:36.959Z

Reserved: 2026-02-09T09:38:32.721Z

Link: CVE-2026-2242

Vulnrichment

Updated: 2026-02-09T18:40:24.358Z

NVD

Status : Analyzed

Published: 2026-02-09T18:16:08.857

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2242

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object