Login Sign Up

CVE-2026-2869

3.3 LOW

📋 TL;DR

This CVE describes an out-of-bounds read vulnerability in the janet-lang Janet programming language's handleattr handler. Attackers with local access can exploit this to read sensitive memory contents, potentially exposing credentials or other data. Only systems running Janet versions up to 1.40.1 are affected.

💻 Affected Systems

Products:
  • janet-lang janet
Versions: up to 1.40.1
Operating Systems: All platforms running Janet
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where Janet is installed and the vulnerable handleattr functionality is used.

📦 What is this software?

Janet by Janet Lang

View all CVEs affecting Janet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker reads sensitive memory contents including credentials, encryption keys, or other application data, leading to privilege escalation or data breach.

🟠

Likely Case

Local user reads limited memory contents, potentially exposing some application data but not full system compromise.

🟢

If Mitigated

With proper access controls and isolation, impact is limited to the Janet process's memory space only.

🌐 Internet-Facing: LOW - Attack requires local access, cannot be exploited remotely.
🏢 Internal Only: MEDIUM - Local attackers on shared systems could exploit this, but requires specific Janet usage patterns.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access and knowledge of Janet usage patterns. Public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.41.0

Vendor Advisory: https://github.com/janet-lang/janet/releases/tag/v1.41.0

Restart Required: Yes

Instructions:

1. Backup current Janet installation
2. Download Janet 1.41.0 from official repository
3. Follow build/installation instructions for your platform
4. Restart any services using Janet
5. Verify version with 'janet -v'

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable Janet versions

Disable vulnerable functionality

all

Avoid using handleattr functionality in Janet code if possible

🧯 If You Can't Patch

  • Isolate Janet applications in containers or VMs with minimal privileges
  • Implement strict access controls to limit local user access to affected systems

🔍 How to Verify

Check if Vulnerable:

Run 'janet -v' and check if version is 1.40.1 or earlier

Check Version:

janet -v

Verify Fix Applied:

Run 'janet -v' and confirm version is 1.41.0 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual Janet process crashes
  • Memory access violations in system logs

Network Indicators:

  • None - local-only vulnerability

SIEM Query:

Process execution where command contains 'janet' AND version < 1.41.0

📊 Metadata

CVE ID: CVE-2026-2869
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-119
Published: February 21, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2869, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)