Infinite Loop in facil.io C Micro-Framework Affecting JSON Parsing
CVE-2026-41146

8.7HIGH

Key Information:

Vendor: Boazsegev
Status: Facil.io; Iodine
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-41146?

The facil.io framework, a popular C micro-framework for web applications, contains a vulnerability in its JSON parser. Specifically, prior to the implementation of a critical commit, the fio_json_parse function can enter an infinite loop when parsing nested JSON values that start with the letter 'i' or 'I'. This flaw results in resource exhaustion, causing one CPU core to run at near 100% utilization without generating a proper parsing error. The issue extends to the iodine framework, which incorporates the same parser code, allowing an attacker to exploit this flaw through crafted JSON inputs. The vulnerability is addressed in commit 5128747363055201d3ecf0e29bf0a961703c9fa0.

Affected Version(s)

facil.io < 5128747363055201d3ecf0e29bf0a961703c9fa0

iodine < 0.7.59

References

https://github.com/boazsegev/facil.io/security/advisories...

x_refsource_CONFIRM

https://github.com/boazsegev/facil.io/commit/512874736305...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41146 Data

JSON

Boazsegev

What is CVE-2026-41146?

Affected Version(s)

References

CVSS V4

Timeline