CVE-2026-41146: CWE-400: Uncontrolled Resource Consumption in boazsegev facil.io
CVE-2026-41146 is a high-severity vulnerability in facil. io, a C micro-framework for web applications. The issue involves uncontrolled resource consumption due to an infinite loop in the JSON parser function `fio_json_parse` when processing nested JSON values starting with the character 'i' or 'I'. This causes the process to consume 100% CPU on one core without returning a parse error. The vulnerability also affects the iodine project, which uses the same parser code. The issue is fixed in commit 5128747363055201d3ecf0e29bf0a961703c9fa0. No official patch or vendor advisory is currently provided, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability CVE-2026-41146 affects facil.io versions prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0. The JSON parser function `fio_json_parse` can enter an infinite loop when encountering nested JSON values starting with 'i' or 'I', causing uncontrolled resource consumption by pegging one CPU core at 100%. This behavior results from the parser tolerating missing commas and misinterpreting trailing 'i' characters as new values, leading to a spin in user space rather than a parse error. The iodine project, which vendors the same parser code, is also affected. The issue is resolved by the referenced commit, but no explicit vendor advisory or patch link is provided.
Potential Impact
An attacker can cause a denial of service by sending specially crafted JSON input that triggers an infinite loop in the parser, resulting in high CPU usage and potential service disruption. The vulnerability does not require authentication or user interaction and can be triggered remotely via network access to the affected parser. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available in commit 5128747363055201d3ecf0e29bf0a961703c9fa0 of facil.io. Users should upgrade to a version that includes this commit to remediate the issue. Since no official vendor advisory or patch link is provided, users should monitor the facil.io project repository or vendor communications for an official release containing this fix. Until patched, consider restricting or validating JSON input to avoid nested values starting with 'i' or 'I' if feasible.
CVE-2026-41146: CWE-400: Uncontrolled Resource Consumption in boazsegev facil.io
Description
CVE-2026-41146 is a high-severity vulnerability in facil. io, a C micro-framework for web applications. The issue involves uncontrolled resource consumption due to an infinite loop in the JSON parser function `fio_json_parse` when processing nested JSON values starting with the character 'i' or 'I'. This causes the process to consume 100% CPU on one core without returning a parse error. The vulnerability also affects the iodine project, which uses the same parser code. The issue is fixed in commit 5128747363055201d3ecf0e29bf0a961703c9fa0. No official patch or vendor advisory is currently provided, and no known exploits are reported in the wild.
CVSS v4.0
Score 8.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-41146 affects facil.io versions prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0. The JSON parser function `fio_json_parse` can enter an infinite loop when encountering nested JSON values starting with 'i' or 'I', causing uncontrolled resource consumption by pegging one CPU core at 100%. This behavior results from the parser tolerating missing commas and misinterpreting trailing 'i' characters as new values, leading to a spin in user space rather than a parse error. The iodine project, which vendors the same parser code, is also affected. The issue is resolved by the referenced commit, but no explicit vendor advisory or patch link is provided.
Potential Impact
An attacker can cause a denial of service by sending specially crafted JSON input that triggers an infinite loop in the parser, resulting in high CPU usage and potential service disruption. The vulnerability does not require authentication or user interaction and can be triggered remotely via network access to the affected parser. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is available in commit 5128747363055201d3ecf0e29bf0a961703c9fa0 of facil.io. Users should upgrade to a version that includes this commit to remediate the issue. Since no official vendor advisory or patch link is provided, users should monitor the facil.io project repository or vendor communications for an official release containing this fix. Until patched, consider restricting or validating JSON input to avoid nested values starting with 'i' or 'I' if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.739Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8285d19fe3cd2cd272487
Added to database: 4/22/2026, 1:46:05 AM
Last enriched: 4/29/2026, 11:43:40 AM
Last updated: 6/5/2026, 10:53:53 AM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.