LOW 3.3

CVE-2026-10267: Out-of-Bounds Read in Janet Language Debug Frame Handling

A flaw in the Janet programming language (version 1.41.0 and earlier) allows a local user to read memory beyond intended boundaries in the debug frame handling code. The vulnerability requires local system access and valid user credentials to exploit, but poses a confidentiality risk by enabling unauthorized disclosure of sensitive data in memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-119, CWE-125
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A security flaw has been discovered in janet-lang janet up to 1.41.0. This affects the function doframe of the file src/core/debug.c. Performing a manipulation results in out-of-bounds read. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. The patch is named ed17dd2c5913a23fb1107251e44a9410a3c30cf5.

9 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10267 is an out-of-bounds read vulnerability in janet-lang's doframe function located in src/core/debug.c. The flaw stems from improper bounds checking when manipulating debug frame structures, allowing an authenticated local attacker to access memory outside allocated buffers. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read), indicating both a buffer management issue and active information disclosure. The CVSS 3.1 score of 3.3 (LOW severity) reflects the local-only attack vector and limited impact scope.

Business impact

Organizations using Janet for local processing, automation, or embedded systems should assess whether this vulnerability affects their deployment posture. While the attack surface is constrained to local users with valid credentials, the information disclosure risk could expose sensitive algorithmic data, cryptographic material, or other memory contents to unauthorized personnel. Development teams relying on Janet's debug facilities should prioritize patching to prevent accidental or malicious information leakage during system administration or debugging workflows.

Affected systems

Janet language runtime versions up to and including 1.41.0 are affected. The vulnerability is present in the debug frame handling mechanism (doframe function), meaning systems actively using Janet's debugging or introspection capabilities are at highest risk. Janet installations without active local user access or those running on restricted, air-gapped systems face reduced practical exposure.

Exploitability

The exploit is publicly available, increasing attack likelihood for those with existing access to vulnerable systems. However, exploitation requires local system access and valid user privileges, substantially limiting the threat scope compared to network-based vulnerabilities. An attacker must authenticate to the system and invoke specific manipulation of debug frame structures to trigger the out-of-bounds read. No user interaction is required once access is obtained.

Remediation

Apply the patch identified by commit hash ed17dd2c5913a23fb1107251e44a9410a3c30cf5. Organizations should verify this commit is included in their deployed Janet version. Consider restricting local system access to trusted administrators and reviewing audit logs for suspicious debug operations on systems running older Janet versions.

Patch guidance

Upgrade Janet to a version containing commit ed17dd2c5913a23fb1107251e44a9410a3c30cf5 (verify against the official janet-lang repository and release notes). Test patched versions in non-production environments before deployment. If an immediate upgrade is not feasible, restrict local user accounts and monitor for anomalous debug frame access patterns.

Detection guidance

Monitor system logs for repeated failed or unusual invocations of Janet debug functions, particularly those involving frame manipulation. Intrusion detection signatures targeting doframe function abuse may be developed by your security team. Review access logs for users executing debug operations outside normal administrative workflows. Consider deploying file integrity monitoring on Janet runtime binaries to detect unauthorized modifications.

Why prioritize this

Despite the LOW CVSS score, prioritization should account for public exploit availability and information disclosure potential in your specific environment. If Janet runs on shared multi-user systems or processes sensitive workloads, treat this as medium priority for patching. For single-user or restricted deployments, lower urgency is acceptable provided access controls are strong.

Risk score, explained

The CVSS 3.1 score of 3.3 reflects a local-only attack vector (AV:L), low attack complexity (AC:L), requirement for low privileges (PR:L), and confidentiality impact (C:L) with no integrity or availability consequences. The score is intentionally conservative due to the multi-factor barriers to exploitation, but the presence of public exploit code and memory disclosure capability warrant practical attention in risk assessments.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The attack vector is strictly local (AV:L), requiring the attacker to have valid credentials and direct access to the compromised system. Remote exploitation is not possible.

What data can an attacker access?

The out-of-bounds read allows an attacker to read memory adjacent to debug frame structures. The specific data depends on what resides in adjacent memory at runtime—potentially including other variables, stack contents, or heap data. No integrity or modification of data occurs.

Is there a workaround if I cannot patch immediately?

Yes. Restrict local user accounts to only trusted administrators, disable unnecessary debug capabilities if your application allows it, and implement strong access controls. However, patching should remain the primary remediation goal.

Does this affect Janet embedded in other applications?

If your application embeds the Janet runtime and permits local user access or debug operations, yes—you inherit the vulnerability. Consult your application vendor and confirm the Janet version bundled with your software.

This analysis is provided for informational purposes to assist security professionals in vulnerability management. It does not constitute legal advice or a guarantee of exploit impact. Patch version information is derived from the vendor advisory; verify against official janet-lang releases before deployment. Public availability of exploit code does not guarantee reliable or effective attacks in all environments. Organizations should conduct their own risk assessment and testing in isolated environments before applying patches to production systems. SEC.co makes no warranty regarding the completeness or accuracy of vulnerability impact in specific deployments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).