CVE-2026-2241 is a medium severity vulnerability identified in the janet-lang janet runtime up to version 1.40.1. The flaw exists in the os_strftime function located in src/core/os.c, where improper handling of input data leads to an out-of-bounds read condition. This vulnerability arises when the function processes manipulated input, causing it to read memory beyond the intended buffer boundaries. Such out-of-bounds reads can result in exposure of sensitive memory contents or cause application crashes due to invalid memory access. The attack vector is local, meaning an attacker must have local access with low privileges to trigger the flaw; no user interaction or authentication is required beyond this. The vulnerability does not affect confidentiality, integrity, or availability on a large scale but can lead to limited information disclosure or denial of service in affected systems. The patch identified by commit 0f285855f0e34f9183956be5f16e045f54626bff addresses the issue by correcting the bounds checking in os_strftime. While public exploit code exists, there are no reports of active exploitation in the wild. The vulnerability is relevant primarily to environments running janet-lang versions 1.40.0 and 1.40.1, which may include embedded systems, development environments, or specialized applications relying on this language runtime.

The primary impact of CVE-2026-2241 is the potential for local attackers to read memory beyond intended boundaries, which can lead to limited information disclosure. This may expose sensitive data residing in adjacent memory areas, potentially aiding further attacks or reconnaissance. Additionally, the out-of-bounds read could cause application instability or crashes, resulting in denial of service for affected processes. Since exploitation requires local access with low privileges, remote attackers cannot directly exploit this vulnerability. However, in multi-user systems or environments where untrusted users have local access, this vulnerability could be leveraged to escalate attacks or disrupt services. The scope is limited to systems running vulnerable janet-lang versions, which may be niche but critical in certain development or embedded contexts. Organizations relying on janet-lang for scripting or automation should consider the risk of data leakage and service disruption, especially in shared or sensitive environments.

To mitigate CVE-2026-2241, organizations should promptly apply the official patch identified by commit 0f285855f0e34f9183956be5f16e045f54626bff to all affected janet-lang installations, upgrading beyond version 1.40.1. In addition to patching, restrict local access to systems running janet-lang to trusted users only, minimizing the risk of exploitation by unprivileged attackers. Employ strict access controls and monitoring on multi-user systems where janet-lang is used. Conduct code audits and testing for any custom extensions or integrations with janet-lang that might interact with os_strftime or related functions to ensure no residual vulnerabilities exist. Consider implementing runtime memory protection mechanisms such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to reduce the impact of out-of-bounds reads. Finally, maintain updated inventories of software versions in use to quickly identify and remediate vulnerable instances.