Description
A vulnerability was identified in janet-lang janet up to 1.40.1. Affected by this vulnerability is the function janetc_varset of the file src/core/specials.c of the component handleattr Handler. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. Upgrading to version 1.41.0 addresses this issue. The identifier of the patch is 2fabc80151a2b8834ee59cda8a70453f848b40e5. The affected component should be upgraded.
Published: 2026-02-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in janet’s variable setting function allows an attacker with local access to read beyond the intended buffer boundaries. This out‑of‑bounds read can leak data that is not meant to be exposed, such as process memory contents or sensitive configuration values. The flaw is a classic buffer over‑read classified as CWE‑119 and CWE‑125, and the consequence is that an attacker can gather information about the system or the application without altering state or executing code.

Affected Systems

It affects all versions of the janet‑lang JANet interpreter up to and including 1.40.1. The flaw resides in the handleattr component’s janetc_varset function within src/core/specials.c. Users who run versions prior to 1.41.0 are vulnerable. Upgrading to 1.41.0 resolves the issue. The vendor is janet‑lang.

Risk and Exploitability

The CVSS score of 4.8 reflects a moderate risk, and the EPSS score indicates the probability of exploitation is very low (<1 %). The vulnerability is not listed in CISA’s KEV catalog, meaning no confirmed exploitation in the wild. The attack vector is local, so only users or processes with local privileges can abuse the flaw. Because an official patch is available, the risk is mitigated by upgrading. The danger is limited to an information leak, but it should still be remedied to avoid accidental disclosure.

Generated by OpenCVE AI on April 17, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the janet interpreter to version 1.41.0 or later, which includes commit 2fabc80151a2b8834ee59cda8a70453f848b40e5 that removes the out‑of‑bounds read in janetc_varset.
  • If the upgrade cannot be performed immediately, limit the interpreter’s execution to a sandboxed environment with minimal privileges and disable any optional handleattr features that are not required by your application.
  • Where possible, audit and validate any third‑party modules that interact with janetc_varset to ensure they perform proper boundary checks before accessing memory.

Generated by OpenCVE AI on April 17, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:janet-lang:janet:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Janet-lang
Janet-lang janet
Vendors & Products Janet-lang
Janet-lang janet

Sat, 21 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in janet-lang janet up to 1.40.1. Affected by this vulnerability is the function janetc_varset of the file src/core/specials.c of the component handleattr Handler. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. Upgrading to version 1.41.0 addresses this issue. The identifier of the patch is 2fabc80151a2b8834ee59cda8a70453f848b40e5. The affected component should be upgraded.
Title janet-lang janet handleattr specials.c janetc_varset out-of-bounds
Weaknesses CWE-119
CWE-125
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Janet-lang Janet
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T19:36:13.428Z

Reserved: 2026-02-20T14:33:57.660Z

Link: CVE-2026-2869

cve-icon Vulnrichment

Updated: 2026-02-23T19:36:06.160Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T15:15:58.607

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses