Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-2241

3.3 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

janet-lang janet os.c os_strftime out-of-bounds

A vulnerability was found in janet-lang janet up to 1.40.1. This affects the function os_strftime of the file src/core/os.c. Performing a manipulation results in out-of-bounds read. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is named 0f285855f0e34f9183956be5f16e045f54626bff. To fix this issue, it is recommended to deploy a patch.

References

VDB-344980 | janet-lang janet os.c os_strftime out-of-bounds vdb-entrytechnical-description
VDB-344980 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #753156 | janet-lang janet c43e066 Heap-based Buffer Overflow third-party-advisory
https://github.com/janet-lang/janet/issues/1701 issue-tracking
https://github.com/janet-lang/janet/issues/1701#event-4446770461 issue-tracking
https://github.com/oneafter/0123/blob/main/ja3/repro exploit
https://github.com/janet-lang/janet/commit/0f285855f0e34f9183956be5f16e045f5462… patch
https://github.com/janet-lang/janet/ product

Affected products

janet

==1.40.0
==1.40.1

Matching in nixpkgs

pkgs.janet

Janet programming language

nixos-unstable 1.38.0
- nixpkgs-unstable 1.40.1
- nixos-unstable-small 1.40.1
nixos-25.11 1.39.1
- nixpkgs-25.11-darwin 1.39.1

pkgs.vscode-extensions.janet-lang.vscode-janet

Janet language support for Visual Studio Code

nixos-unstable 0.0.2
- nixpkgs-unstable 0.0.2
- nixos-unstable-small 0.0.2
nixos-25.11 0.0.2
- nixpkgs-25.11-darwin 0.0.2

pkgs.tree-sitter-grammars.tree-sitter-janet-simple

None

nixos-unstable 0.25.6
- nixpkgs-unstable 0.0.7-unstable-2025-05-19
- nixos-unstable-small 0.0.7-unstable-2025-05-19
nixos-25.11 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.vimPlugins.nvim-treesitter-parsers.janet_simple

None

nixos-unstable -
- nixpkgs-unstable 0.0.0+rev=7e28cbf
- nixos-unstable-small 0.0.0+rev=7e28cbf
nixos-25.11 -
- nixpkgs-25.11-darwin

pkgs.python312Packages.tree-sitter-grammars.tree-sitter-janet-simple

Python bindings for tree-sitter-janet-simple

nixos-unstable 0.25.6
nixos-25.11 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-janet-simple

Python bindings for tree-sitter-janet-simple

nixos-unstable 0.25.6
- nixpkgs-unstable 0.0.7+unstable20250519
- nixos-unstable-small 0.0.7+unstable20250519
nixos-25.11 0.25.10
- nixpkgs-25.11-darwin 0.25.10

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-janet-simple

Python bindings for tree-sitter-janet-simple

nixos-unstable -
- nixpkgs-unstable 0.0.7+unstable20250519
- nixos-unstable-small 0.0.7+unstable20250519

Package maintainers

@peterhoeg Peter Hoeg <peter@hoeg.com>
@andrewchambers Andrew Chambers <ac@acha.ninja>
@stepbrobd Yifei Sun <ysun@hey.com>
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
@adfaure Adrien Faure <adfaure@pm.me>
@A-jay98 Ali Jamadi <ali@jamadi.me>
@wackbyte wackbyte <wackbyte@pm.me>