CVE-2026-2240 is a security vulnerability discovered in the janet-lang janet interpreter, affecting versions 1.40.0 and 1.40.1. The vulnerability resides in the janetc_pop_funcdef function located in the src/core/compile.c source file. It results in an out-of-bounds read condition, where the program reads memory outside the allocated buffer boundaries. This can occur due to improper handling of function definitions during compilation or bytecode processing. The vulnerability requires local access with limited privileges (PR:L) and does not require user interaction or elevated privileges. The attack vector is local, meaning an attacker must have access to the system where janet is installed. The CVSS v4.0 base score is 4.8, reflecting medium severity, with low attack complexity and no user interaction needed. The impact primarily concerns confidentiality, as out-of-bounds reads can leak sensitive memory contents, potentially exposing secrets or internal data structures. The vulnerability does not directly allow code execution or privilege escalation but may be leveraged in chained attacks. The patch identified by commit 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5 fixes the issue by correcting the bounds checking logic in the affected function. No public exploits are known at this time, but the vulnerability has been publicly disclosed, increasing the risk of future exploitation. Organizations using janet-lang, especially in environments where local users have access, should apply the patch to prevent potential information disclosure.

The primary impact of CVE-2026-2240 is unauthorized disclosure of memory contents due to out-of-bounds reads. This can lead to leakage of sensitive information such as cryptographic keys, passwords, or internal program data, undermining confidentiality. While the vulnerability does not allow remote exploitation or privilege escalation, it poses a risk in multi-user environments or systems where untrusted local users have access. Attackers could use this flaw to gather intelligence for further attacks or to bypass security controls relying on memory confidentiality. The medium severity rating reflects the limited attack vector and moderate impact. However, in environments where janet-lang is used for critical scripting or automation, this vulnerability could compromise operational security. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially after public disclosure. Organizations with janet-lang installations should consider the risk of insider threats or compromised local accounts exploiting this vulnerability.

To mitigate CVE-2026-2240, organizations should promptly apply the official patch identified by commit 4dd08a4cdef5b1c42d9a2c19fc24412e97ef51d5 to all affected janet-lang versions (1.40.0 and 1.40.1). Additionally, restrict local access to systems running janet-lang to trusted users only, minimizing the risk of exploitation by unprivileged attackers. Implement strict access controls and monitoring on systems where janet is installed, especially in shared or multi-user environments. Consider using sandboxing or containerization to isolate janet-lang processes and limit potential memory exposure. Regularly audit and update janet-lang installations to the latest secure versions. If patching is not immediately feasible, monitor system logs for unusual activity and limit the execution of untrusted scripts. Educate developers and system administrators about the vulnerability and the importance of applying security updates. Finally, incorporate janet-lang vulnerability scanning into routine security assessments to detect outdated versions.