216.73.216.233

CVE-2026-41146

· Published 22/04/2026 02:16 · Modified 22/04/2026 21:23

Labels: CVE-2026-41146 2026-04-22CVE-2026-41146CWE-400[email protected]

Essential information

Published
22/04/2026 02:16
Modified
22/04/2026 21:23
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
facil.io / facil cpe:2.3:a:facil.io:facil:*:*:*:*:*:*:*:*
iodine / iodine cpe:2.3:a:iodine:iodine:*:*:*:*:*:*:*:*

References