CVE-2026-41146: CWE-400: Uncontrolled Resource Consumption in boazsegev facil.io
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
AI Analysis
Technical Summary
The vulnerability in facil.io's JSON parser (fio_json_parse) causes an infinite loop when encountering nested JSON values beginning with 'i' or 'I'. This leads to a denial-of-service condition by pegging one CPU core at full utilization. The smallest input triggering the issue is '[i'. The parser tolerates missing commas, which contributes to the bug. The same parser is used in iodine, making it vulnerable as well. The issue is addressed by a specific commit (5128747363055201d3ecf0e29bf0a961703c9fa0), but no official patch or advisory is provided in the data.
Potential Impact
An attacker can supply specially crafted JSON input to cause the affected application to enter an infinite loop, resulting in high CPU usage and potential denial of service. This impacts availability by exhausting CPU resources on the affected system. There is no indication of data confidentiality or integrity impact. No known exploits in the wild have been reported.
Mitigation Recommendations
The issue is fixed in commit 5128747363055201d3ecf0e29bf0a961703c9fa0. Users should update to a version including this commit to remediate the vulnerability. Since no official vendor advisory or patch release is provided, users must verify that their facil.io or iodine versions include this fix. Patch status is not yet confirmed via vendor advisory; check the vendor's repository or official channels for updated releases containing the fix.
CVE-2026-41146: CWE-400: Uncontrolled Resource Consumption in boazsegev facil.io
Description
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in facil.io's JSON parser (fio_json_parse) causes an infinite loop when encountering nested JSON values beginning with 'i' or 'I'. This leads to a denial-of-service condition by pegging one CPU core at full utilization. The smallest input triggering the issue is '[i'. The parser tolerates missing commas, which contributes to the bug. The same parser is used in iodine, making it vulnerable as well. The issue is addressed by a specific commit (5128747363055201d3ecf0e29bf0a961703c9fa0), but no official patch or advisory is provided in the data.
Potential Impact
An attacker can supply specially crafted JSON input to cause the affected application to enter an infinite loop, resulting in high CPU usage and potential denial of service. This impacts availability by exhausting CPU resources on the affected system. There is no indication of data confidentiality or integrity impact. No known exploits in the wild have been reported.
Mitigation Recommendations
The issue is fixed in commit 5128747363055201d3ecf0e29bf0a961703c9fa0. Users should update to a version including this commit to remediate the vulnerability. Since no official vendor advisory or patch release is provided, users must verify that their facil.io or iodine versions include this fix. Patch status is not yet confirmed via vendor advisory; check the vendor's repository or official channels for updated releases containing the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.739Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8285d19fe3cd2cd272487
Added to database: 4/22/2026, 1:46:05 AM
Last enriched: 4/22/2026, 2:01:49 AM
Last updated: 4/22/2026, 6:17:56 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.