Login Sign Up

CVE-2026-2241

3.3 LOW
Denial of Service

📋 TL;DR

CVE-2026-2241 is an out-of-bounds read vulnerability in the os_strftime function of Janet programming language. This allows local attackers to read memory beyond allocated buffers, potentially exposing sensitive information. Only systems running vulnerable versions of Janet are affected.

💻 Affected Systems

Products:
  • janet-lang janet
Versions: Up to and including version 1.40.1
Operating Systems: All platforms running Janet
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using the os_strftime function in vulnerable Janet versions is affected

📦 What is this software?

Janet by Janet Lang

View all CVEs affecting Janet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potentially including credentials, cryptographic keys, or other application data

🟠

Likely Case

Application crash or denial of service due to invalid memory access

🟢

If Mitigated

No impact if proper input validation and memory protections are in place

🌐 Internet-Facing: LOW - Attack requires local access to the system
🏢 Internal Only: MEDIUM - Local attackers on shared systems could exploit this vulnerability

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access and manipulation of os_strftime function parameters

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after commit 0f285855f0e34f9183956be5f16e045f54626bff

Vendor Advisory: https://github.com/janet-lang/janet/issues/1701

Restart Required: Yes

Instructions:

1. Update Janet to version after commit 0f285855f0e34f9183956be5f16e045f54626bff
2. Recompile any applications using Janet
3. Restart affected services

🔧 Temporary Workarounds

Disable vulnerable function usage

all

Avoid using os_strftime function in applications until patched

Memory protection controls

linux

Enable ASLR and other memory protection mechanisms

echo 2 > /proc/sys/kernel/randomize_va_space

🧯 If You Can't Patch

  • Isolate systems running vulnerable Janet versions from untrusted users
  • Implement strict access controls to limit local user privileges

🔍 How to Verify

Check if Vulnerable:

Check Janet version with 'janet -v' and verify if it's 1.40.1 or earlier

Check Version:

janet -v

Verify Fix Applied:

Verify Janet version is after commit 0f285855f0e34f9183956be5f16e045f54626bff or test os_strftime function with boundary inputs

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in application logs
  • Memory access violation messages

Network Indicators:

  • No network indicators - local exploit only

SIEM Query:

search 'segmentation fault' OR 'memory violation' in application logs where process contains 'janet'

📊 Metadata

CVE ID: CVE-2026-2241
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-119
EPSS Score: 0.01% exploit probability (1.9th percentile)
Published: February 9, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2241, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)