PatchSiren cyber security CVE debrief
CVE-2026-10267 janet-lang CVE debrief
A low-severity local out-of-bounds read vulnerability exists in the Janet programming language runtime (versions up to 1.41.0). The flaw resides in the `doframe` function within `src/core/debug.c`. Successful exploitation requires local access and attacker manipulation of input to trigger the out-of-bounds read. A public exploit has been released, increasing the practical risk for local attack scenarios. The issue has been patched in commit ed17dd2c5913a23fb1107251e44a9410a3c30cf5.
- Vendor
- janet-lang
- Product
- janet
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations and developers using Janet runtime versions up to 1.41.0 in multi-user or shared local environments where untrusted users may execute code. System administrators maintaining Janet-based applications should prioritize patching. The low CVSS score and local attack requirement limit broad enterprise urgency, but the public exploit availability warrants attention for affected deployments.
Technical summary
The vulnerability is an out-of-bounds read in the `doframe` function located in `src/core/debug.c` of the Janet programming language runtime, affecting versions up to 1.41.0. The flaw can be triggered through local manipulation of input data processed by the debug frame handling code. The CVSS 4.0 score of 1.9 (LOW severity) reflects the local attack vector requirement and limited confidentiality impact with no integrity or availability consequences. A public exploit is available, though exploitation requires local access. The fix is implemented in GitHub commit ed17dd2c5913a23fb1107251e44a9410a3c30cf5.
Defensive priority
low
Recommended defensive actions
- Upgrade janet-lang/janet to a version incorporating commit ed17dd2c5913a23fb1107251e44a9410a3c30cf5 or later.
- Restrict local access to systems running vulnerable Janet versions to trusted users only.
- Monitor for suspicious local activity or unexpected process behavior in Janet runtime environments.
- Review and apply vendor security advisories when formally published.
Evidence notes
The vulnerability was reported to affect janet-lang/janet up to version 1.41.0. The `doframe` function in `src/core/debug.c` is identified as the affected component. The CVSS 4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), low confidentiality impact (VC:L), and no integrity or availability impact (VI:N/VA:N). The exploit existence (E:P) is noted in the CVSS vector. The patch commit ed17dd2c5913a23fb1107251e44a9410a3c30cf5 is referenced in source materials. CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read) are identified as applicable weakness enumerations.
Official resources
public