CVE-2026-41244 - Vulnerability Details

- Mojic: Observable Timing Discrepancy in HMAC Verification

Description

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.

Published: 2026-04-24

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mojic, a command‑line tool that converts C source into a stream of emojis, verifies file integrity by comparing an HMAC‑SHA256 seal during decryption. In versions prior to 2.1.4 the comparison uses a standard equality operator (!==), which results in a measurable timing discrepancy (CWE‑208). This side‑channel can be exploited to gain knowledge about the HMAC value and ultimately allow an attacker to bypass the integrity check, letting forged files be processed as if they were authentic.

Affected Systems

The vulnerability affects the Mojic CLI distributed by the notamitgamer project, specifically all releases older than 2.1.4. Users who continue to run these earlier versions are subject to the risk until they upgrade.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply crafted inputs to the decryption routine and measure timing differences, which is more feasible in environments where the CLI is exposed to untrusted data or where an attacker can read the tool’s timing output. Because no remote code execution or privilege escalation is achieved, the impact is limited to compromising file authenticity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

notamitgamer

mojic

affected

Version	Status	Constraints
`< 2.1.4`	affected	—

No data.

Vendor Product Confidence Versions

Notamitgamer

Mojic

100%

Version	Status	Scheme	Platform
`[0,2.1.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mojic to version 2.1.4 or later, which replaces the standard equality comparison with a proper constant‑time HMAC check.
Remove or disable older Mojic binaries from the system to prevent accidental execution of the vulnerable code.
Limit the CLI to trusted users or restrict file input to authenticated, verified sources, and consider implementing additional integrity checks if older versions must remain in use.

Generated by OpenCVE AI on April 28, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wqq3-wfmp-v85g	Mojic: Observable Timing Discrepancy in HMAC Verification

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g

History

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Notamitgamer Notamitgamer mojic
Vendors & Products		Notamitgamer Notamitgamer mojic

Fri, 24 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 24 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4.
Title		Mojic: Observable Timing Discrepancy in HMAC Verification
Weaknesses		CWE-208
References		https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Subscriptions

Notamitgamer Mojic

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-24T19:11:54.892Z

Updated: 2026-04-24T19:59:59.355Z

Reserved: 2026-04-18T03:47:03.135Z

Link: CVE-2026-41244

Vulnrichment

Updated: 2026-04-24T19:59:56.082Z

NVD

Status : Deferred

Published: 2026-04-24T20:16:26.957

Modified: 2026-04-28T21:18:07.827

Link: CVE-2026-41244

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses

CWE-208

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object