CVE-2026-41146

Name of the Vulnerable Software and Affected Versions facil.io versions prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0 iodine (affected versions not specified)

Description The fio json parse() function can enter an infinite loop when encountering a nested JSON value that starts with the character i or I. This causes the process to consume approximately 100% of a CPU core's resources instead of returning a parse error. This issue occurs because the parser may tolerate missing commas and treat trailing characters as the start of a new value.

Recommendations Update to commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or a newer version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.