CVE-2026-2240 Overview
A vulnerability has been discovered in janet-lang Janet up to version 1.40.1 that allows an out-of-bounds read in the compiler component. The impacted element is the function janetc_pop_funcdef located in the file src/core/compile.c. This memory corruption vulnerability requires local access to exploit and has been publicly disclosed with a proof-of-concept available.
Critical Impact
Local attackers can trigger an out-of-bounds read condition in the Janet compiler, potentially leading to information disclosure or application crashes when processing maliciously crafted Janet code.
Affected Products
- janet-lang Janet versions up to and including 1.40.1
- Applications embedding the Janet runtime/compiler
- Systems running Janet-based scripts with untrusted input
Discovery Timeline
- February 9, 2026 - CVE-2026-2240 published to NVD
- February 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2240
Vulnerability Analysis
This vulnerability exists in the Janet programming language's compiler implementation, specifically within the janetc_pop_funcdef function in src/core/compile.c. The flaw is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), manifesting as an out-of-bounds read condition.
The root cause involves insufficient bounds checking when accessing the closure bitset chunks array. The compiler's register allocator preallocates certain registers in the high 16 bits of chunk index 7 (registers 240-255), but the original code failed to verify that the slotchunks count was large enough before attempting to mask those bits.
Root Cause
The vulnerability stems from a missing bounds check in the closure bitset handling logic. The original code checked if scope->ua.count > 7 before accessing chunks[7], but failed to also verify that slotchunks > 7. This allowed the code to potentially access chunks[7] when the slotchunks allocation was insufficient, resulting in an out-of-bounds memory read.
Attack Vector
An attacker with local access must craft a malicious Janet source file that triggers the vulnerable code path during compilation. When the Janet compiler processes this input, it can read memory beyond the allocated buffer bounds. While this vulnerability requires local access and has limited direct security impact, it could potentially be chained with other vulnerabilities or used to crash Janet-based applications processing untrusted code.
// Security patch in src/core/compile.c
// Source: https://github.com/janet-lang/janet/commit/4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5
JANET_OUT_OF_MEMORY;
}
memcpy(chunks, scope->ua.chunks, sizeof(uint32_t) * numchunks);
+ /* fprintf(stderr, "slot chunks: %d, scope->ua.count: %d, numchunks: %d\n", slotchunks, scope->ua.count, numchunks); */
/* Register allocator preallocates some registers [240-255, high 16 bits of chunk index 7], we can ignore those. */
- if (scope->ua.count > 7) chunks[7] &= 0xFFFFU;
+ if (scope->ua.count > 7 && slotchunks > 7) chunks[7] &= 0xFFFFU;
def->closure_bitset = chunks;
}
The patch adds an additional bounds check (slotchunks > 7) to ensure the chunks array is large enough before accessing index 7.
Detection Methods for CVE-2026-2240
Indicators of Compromise
- Unexpected crashes in Janet compiler or Janet-based applications
- Segmentation faults or memory access violations during Janet code compilation
- Error logs indicating memory corruption in compile.c or related components
- Anomalous memory read patterns in processes running Janet
Detection Strategies
- Monitor for application crashes with stack traces involving janetc_pop_funcdef function
- Implement memory sanitizers (AddressSanitizer) during development and testing to catch out-of-bounds reads
- Review system logs for Janet process crashes or unexpected terminations
- Use static analysis tools to identify potential memory safety issues in Janet integrations
Monitoring Recommendations
- Deploy endpoint detection and response (EDR) solutions to monitor for abnormal process behavior
- Implement file integrity monitoring on Janet source files and compiled outputs
- Set up alerting for repeated crashes in Janet-based services
- Monitor process memory usage patterns for anomalies that may indicate exploitation attempts
How to Mitigate CVE-2026-2240
Immediate Actions Required
- Update janet-lang Janet to a version containing commit 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5 or later
- Review applications that embed Janet for exposure to untrusted input
- Implement input validation for Janet source code before compilation
- Consider sandboxing Janet compilation processes that handle untrusted input
Patch Information
A security patch has been released by the Janet maintainers. The fix is available in commit 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5. Additional details can be found in GitHub Issue #1702.
Workarounds
- Restrict Janet compilation to trusted source files only until patching is complete
- Run Janet processes with reduced privileges to limit impact of potential exploitation
- Use process isolation or containerization for Janet-based applications handling external input
- Implement resource limits and monitoring on Janet compiler processes
# Verify Janet version and check for vulnerability
janet -v
# Build Janet from source with the security patch applied
git clone https://github.com/janet-lang/janet.git
cd janet
git checkout 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5
make clean && make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
