CVE-2026-41146
Description
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, fio_json_parse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because iodine vendors the same parser code, the issue also affects iodine when it parses attacker-controlled JSON. The smallest reproducer I found is [i. The quoted-value form that originally exposed the issue, [""i, reaches the same bug because the parser tolerates missing commas and then treats the trailing i as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
iodineRubyGems | <= 0.7.58 | — |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-2x79-gwq3-vxxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41146ghsaADVISORY
- github.com/boazsegev/facil.io/commit/5128747363055201d3ecf0e29bf0a961703c9fa0nvdWEB
- github.com/boazsegev/facil.io/security/advisories/GHSA-2x79-gwq3-vxxmnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/iodine/CVE-2026-41146.ymlghsaWEB
News mentions
0No linked articles in our index yet.