LOW 3.3

CVE-2026-10268: Janet Language Integer Overflow in Fiber Deserialization

A vulnerability exists in Janet language versions up to 1.41.0 that allows an integer overflow when processing serialized fiber data. An attacker with local system access can exploit this condition to cause a denial of service by crashing the affected application. The vulnerability is not critical but represents a real risk in environments where untrusted users have local access to systems running vulnerable Janet versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-189, CWE-190
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in janet-lang janet up to 1.41.0. This vulnerability affects the function unmarshal_one_fiber of the file src/core/marsh.c. Executing a manipulation can lead to integer overflow. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. This patch is called d9b1d711ea1fde52ac73a82088b512a3e17bad0d. A patch should be applied to remediate this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10268 is an integer overflow vulnerability in the unmarshal_one_fiber function within src/core/marsh.c of Janet language up to version 1.41.0. The vulnerability stems from improper validation of integer values during deserialization of fiber objects. Exploitation requires local access and low privileges. The flaw maps to CWE-189 (Numeric Errors) and CWE-190 (Integer Overflow or Wraparound), indicating insufficient bounds checking during marshal/unmarshal operations. A public exploit is available, though the low CVSS score reflects the attack's local-only nature and limited impact scope.

Business impact

This vulnerability primarily affects availability rather than confidentiality or integrity. Organizations running Janet-based applications in multi-tenant or shared-access environments face localized denial-of-service risk. The impact is contained to the affected process—an integer overflow causes application crashes rather than system-wide compromise. However, applications relying on Janet for compute-intensive or mission-critical operations should prioritize patching to maintain uptime and prevent attackers from forcing service interruptions through serialized data manipulation.

Affected systems

Janet language runtime installations version 1.41.0 and earlier are vulnerable. The affected code path is triggered only when deserializing fiber objects from untrusted or attacker-controlled marshaled data. Applications using Janet's serialization features (particularly those accepting external serialized inputs) face the highest risk. Environments where only trusted users can provide inputs have significantly reduced exposure.

Exploitability

The vulnerability requires local system access and can be exploited by unprivileged users. A public exploit is available, lowering the barrier to weaponization. However, practical exploitation is limited to scenarios where an attacker can either place malicious serialized data where an application will deserialize it, or interact directly with a Janet process. Remote exploitation is not possible through this vector alone—it would require chaining with another remote code execution or file upload vulnerability to deliver the malicious payload.

Remediation

Apply the patch identified as commit d9b1d711ea1fde52ac73a82088b512a3e17bad0d or update to a Janet version released after this fix. Verify the patch against the official Janet language repository and release notes to confirm the version incorporates this commit. Organizations should prioritize systems where untrusted users have local access or where applications deserialize external fiber data.

Patch guidance

Update Janet language to a version that includes commit d9b1d711ea1fde52ac73a82088b512a3e17bad0d. Consult the official Janet repository and release notes to identify the first stable release containing this fix. Test patched versions in non-production environments to ensure compatibility with deployed Janet applications before rolling out to production. If you cannot patch immediately, implement input validation and sanitization for any serialized data before passing it to unmarshal operations.

Detection guidance

Monitor for application crashes or segmentation faults in Janet processes, particularly those handling serialized data. Log analysis of applications using Janet's marshaling functions may reveal patterns of malformed input attempts. Network-level detection is limited since the attack is local; focus detection efforts on system-level indicators such as unexpected process terminations, core dumps, or repeated crashes in Janet runtimes following suspicious file access or IPC activity. Consider deploying application-level logging to track deserialization failures.

Why prioritize this

Although the CVSS score is low (3.3), this vulnerability should not be deprioritized indefinitely. The availability of a public exploit and the relative ease of local exploitation make it suitable for inclusion in routine patch management cycles. Prioritize patching in systems with multi-user access, containerized Janet applications, or those deserializing untrusted data. For isolated systems or those with strict access controls, this can be scheduled during standard maintenance windows without emergency treatment.

Risk score, explained

The CVSS v3.1 score of 3.3 (LOW) reflects the attack vector (Local only), low privileges required, and impact limited to availability denial. The vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L indicates no confidentiality or integrity impact. The score appropriately captures that this is a local denial-of-service issue with no data breach risk. However, organizations should consider business context—if Janet availability is critical to operations, local DoS may warrant faster remediation despite the low base score.

Frequently asked questions

Can this vulnerability be exploited remotely?

No, exploitation requires local system access. Remote exploitation would require an attacker to first gain local access or combine this vulnerability with another remote code execution vulnerability to deliver the malicious serialized data.

What versions of Janet are affected?

Janet versions up to and including 1.41.0 are vulnerable. The specific commit d9b1d711ea1fde52ac73a82088b512a3e17bad0d contains the fix; consult release notes to determine which public release first includes this patch.

Is my application affected if I don't use Janet's marshaling or serialization features?

If your Janet application does not call unmarshal functions on external or untrusted data, your exposure is minimal. However, indirect deserialization (e.g., through libraries or frameworks) may still invoke vulnerable code paths—review your dependencies carefully.

What should I do if I cannot patch immediately?

Restrict local system access through strong authentication and privilege separation. If you deserialize Janet objects, validate and sanitize inputs before passing them to unmarshal functions. Monitor for crashes and implement rate limiting on deserialization operations to reduce denial-of-service impact.

This analysis is provided for informational purposes. The vulnerability details, affected versions, and patch information are based on the published advisory. Organizations should verify patch applicability against their specific deployments and the official Janet language repository. No exploit code or weaponized proof-of-concepts are provided. Testing of patches should occur in non-production environments before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting official vendor guidance and security bulletins for authoritative information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).