CVE-2026-2869 is a security vulnerability identified in the janet-lang janet interpreter, affecting versions 1.40.0 and 1.40.1. The issue resides in the janetc_varset function located in the src/core/specials.c file, part of the handleattr Handler component. The vulnerability manifests as an out-of-bounds read, where the function improperly accesses memory outside the allocated bounds during variable setting operations. This can lead to unintended disclosure of memory contents, potentially exposing sensitive data held in adjacent memory regions. The attack requires local access with limited privileges (PR:L), no user interaction, and no authentication bypass, making remote exploitation infeasible. The vulnerability has a CVSS 4.8 (medium) rating, reflecting moderate impact and exploitability. A patch identified by commit 2fabc80151a2b8834ee59cda8a70453f848b40e5 was released in janet version 1.41.0 to address this issue. While no known widespread exploitation exists, a public exploit is available, increasing the risk of local attacks. The vulnerability is relevant primarily to environments running janet-lang janet, which is used as a lightweight, embeddable programming language in various applications and development contexts.

The out-of-bounds read vulnerability in janet-lang janet can lead to unauthorized disclosure of memory contents, potentially exposing sensitive information such as cryptographic keys, passwords, or other confidential data stored in memory. Although the attack requires local access with limited privileges, it could be leveraged by malicious insiders or attackers who have gained initial foothold on a system to escalate their knowledge of the environment or facilitate further attacks. The vulnerability does not allow direct code execution or privilege escalation but can aid in reconnaissance and exploitation of other vulnerabilities. Systems embedding janet-lang for scripting or automation may be at risk, especially in multi-user or shared environments. The medium severity rating reflects the limited attack vector and moderate impact, but organizations with sensitive data or critical infrastructure using janet should consider this a significant risk. Failure to patch could result in information leakage and increased attack surface for subsequent exploits.

To mitigate CVE-2026-2869, organizations should upgrade janet-lang janet to version 1.41.0 or later, which contains the official patch fixing the out-of-bounds read issue. In environments where immediate upgrading is not feasible, restrict local access to systems running vulnerable janet versions by enforcing strict access controls and monitoring for suspicious local activity. Employ host-based intrusion detection systems (HIDS) to detect anomalous behavior indicative of exploitation attempts. Additionally, conduct code audits and memory safety checks if janet is embedded in custom applications to identify and remediate similar unsafe memory operations. Limit the use of janet-lang to trusted users and sandbox its execution environment where possible to reduce the risk of local exploitation. Regularly review and update software dependencies to minimize exposure to known vulnerabilities.