VYPR
← All advisories
Low severity3.3NVD Advisory· Published Jun 1, 2026· Updated Jun 1, 2026

CVE-2026-10268

CVE-2026-10268

Description

A signed integer overflow in janet-lang's fiber deserialization logic can lead to heap memory corruption or excessive allocation requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A signed integer overflow in janet-lang's fiber deserialization logic can lead to heap memory corruption or excessive allocation requests.

Vulnerability

A signed integer overflow vulnerability exists in the unmarshal_one_fiber function within src/core/marsh.c of janet-lang versions up to 1.41.0. The vulnerability occurs because the fiber_stacktop variable, which is derived from attacker-controlled serialized data, is incremented by 10 without proper bounds checking. When fiber_stacktop is set to INT32_MAX, the addition results in a signed integer overflow, leading to an incorrect fiber->capacity value [2], [3].

Exploitation

An attacker can exploit this by providing a crafted serialized binary file to the unmarshal function. The attacker must control the fiber_stacktop and fiber_maxstack values within the serialized data to bypass existing validation checks. On 64-bit systems, this triggers an excessively large memory allocation request, while on 32-bit systems, it results in an undersized heap buffer allocation that is subsequently overflowed during deserialization [2], [3].

Impact

Successful exploitation can lead to a denial-of-service condition due to memory allocation failures or, on 32-bit architectures, potential heap-based buffer overflows. This may allow an attacker to corrupt memory, potentially leading to arbitrary code execution or application crashes depending on the environment and the specific memory layout [2].

Mitigation

The issue is addressed in commit d9b1d711ea1fde52ac73a82088b512a3e17bad0d, which introduces a bounds check before calculating fiber->capacity to ensure the addition does not overflow INT32_MAX [4]. Users are advised to update to a version containing this patch.

References
  1. pocs/janet-marsh-unmarshal-intovf at main · biniamf/pocs
  2. Signed integer overflow in fiber deserialization leads to allocation-size corruption
  3. Add fix for #1744 · janet-lang/janet@d9b1d71

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
d9b1d711ea1f

Add fix for #1744

https://github.com/janet-lang/janetCalvin RoseApr 26, 2026via nvd-ref
commit
1 file changed · +6 1
  • src/core/marsh.c+6 1 modified
    @@ -1111,7 +1111,12 @@ static const uint8_t *unmarshal_one_fiber(
     }
 
     /* Allocate stack memory */
-    fiber->capacity = fiber_stacktop + 10;
+    if (fiber_stacktop < INT32_MAX - 10) {
+        fiber->capacity = fiber_stacktop + 10;
+    } else {
+        /* Extra capacity is usually nice to avoid immediately reallocing on pushed arguments, but not needed */
+        fiber->capacity = INT32_MAX;
+    }
     fiber->data = janet_malloc(sizeof(Janet) * fiber->capacity);
     if (!fiber->data) {
         JANET_OUT_OF_MEMORY;

Vulnerability mechanics

Root cause

"An integer overflow occurs during fiber stack capacity calculation when adding a constant to a user-controlled value."

Attack vector

An attacker can trigger this vulnerability by providing a crafted input to the unmarshal process that causes the fiber stack capacity calculation to exceed the maximum value representable by a 32-bit signed integer. This overflow leads to an incorrect allocation size for the fiber's data buffer, potentially resulting in a buffer overflow [patch_id=4328687]. The attack can be executed locally by manipulating the input data processed by the affected function.

Affected code

The vulnerability is located in the `unmarshal_one_fiber` function within the `src/core/marsh.c` file.

What the fix does

The patch introduces a bounds check before calculating the fiber capacity to ensure the sum does not exceed INT32_MAX [patch_id=4328687]. If the calculated capacity would exceed this limit, the code now caps the capacity at INT32_MAX instead of allowing the integer to wrap around. This prevents the allocation of an undersized buffer, thereby mitigating the risk of a buffer overflow.

Preconditions

  • inputThe attacker must provide a specifically crafted input that triggers the integer overflow during the fiber stack allocation process.

Reproduction

The vulnerability can be reproduced using the proof-of-concept provided at https://github.com/biniamf/pocs/tree/main/janet-marsh-unmarshal-intovf.

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.