CVE-2026-2240 – CVE-2026-2240 is an out-of-bounds read vulnerab... (How to Fix)

📋 TL;DR

CVE-2026-2240 is an out-of-bounds read vulnerability in the janet programming language's compiler function janetc_pop_funcdef. This allows local attackers to read memory beyond intended boundaries, potentially exposing sensitive information. Only systems running vulnerable versions of janet are affected.

💻 Affected Systems

Products:

janet-lang janet

Versions: Up to and including version 1.40.1

Operating Systems: All platforms running janet

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default

📦 What is this software?

Janet by Janet Lang

View all CVEs affecting Janet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potentially including credentials, cryptographic keys, or other application data

🟠

Likely Case

Application crash or denial of service due to invalid memory access

🟢

If Mitigated

Minimal impact with proper access controls limiting local user privileges

🌐 Internet-Facing: LOW - Requires local access to exploit

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and has been publicly disclosed in GitHub repositories

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5

Vendor Advisory: https://github.com/janet-lang/janet/issues/1702

Restart Required: Yes

Instructions:

1. Update janet to latest version from official repository
2. Rebuild any applications using janet
3. Restart affected services

🔧 Temporary Workarounds

Restrict local user access

all

Limit local user privileges to reduce attack surface

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor for suspicious local user activity and memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check janet version with 'janet -v' and verify if version is 1.40.1 or earlier

Check Version:

janet -v

Verify Fix Applied:

Verify commit hash includes 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5 or version is newer than 1.40.1

📡 Detection & Monitoring

Log Indicators:

Application crashes, segmentation faults, or abnormal termination of janet processes

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Process termination events for janet executables with error codes indicating memory access violations

📊 Metadata

CVE ID: CVE-2026-2240

CVSS v3 Score: 3.3 (LOW)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-119

EPSS Score: 0.01% exploit probability (1.9th percentile)

Published: February 9, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/janet-lang/janet/ Product
https://github.com/janet-lang/janet/commit/4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5 Patch
https://github.com/janet-lang/janet/issues/1702 Exploit,Issue Tracking
https://github.com/janet-lang/janet/issues/1702#issuecomment-3790473369 Exploit,Issue Tracking
https://github.com/oneafter/0123/blob/main/ja4/repro Exploit
https://vuldb.com/?ctiid.344979 Permissions Required,VDB Entry
https://vuldb.com/?id.344979 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.753155 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2240, you might also want to check these: