CVE-2026-41146
Received Received - Intake
Infinite Loop in facil.io and iodine JSON Parser Causes High CPU Usage

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
facil.io is a C micro-framework for web applications. Prior to commit 5128747363055201d3ecf0e29bf0a961703c9fa0, `fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON. The smallest reproducer I found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value. Commit 5128747363055201d3ecf0e29bf0a961703c9fa0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41146
EUVD
EUVD-2026-24583
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
boazsegev facil.io 0.7.58
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by making the affected application consume 100% CPU on one core indefinitely when parsing crafted JSON input containing invalid 'i' or 'I' tokens.

Attackers can exploit this by sending specially crafted JSON payloads to applications using facil.io or iodine that parse attacker-controlled JSON, causing the application to hang and become unresponsive.

The impact is limited to availability; there are no observed impacts on confidentiality or integrity.

Executive Summary

CVE-2026-41146 is a high-severity denial-of-service vulnerability in the facil.io C micro-framework and the downstream iodine Ruby gem, both of which share the same JSON parser code. The vulnerability occurs because the JSON parser enters an infinite loop when it encounters a nested JSON value starting with the character 'i' or 'I'.

Technically, the parser tries to parse such tokens as integers using a function that fails to advance the parsing position, causing the parser to get stuck in a loop without returning an error. This results in the process consuming 100% CPU on one core indefinitely.

The issue affects facil.io versions up to 0.7.58 and iodine versions that vendor the same parser code. Minimal JSON payloads that trigger the bug include malformed inputs like `[i` or `{"a":i`. The parser also tolerates missing commas, which can lead to the same hang after quoted values.

A patch was applied to fix the issue by adding checks to ensure the parser does not accept tokens if the parsing position does not advance, thus preventing the infinite loop.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by making the affected application consume 100% CPU on one core indefinitely when parsing specially crafted JSON input containing invalid 'i' or 'I' tokens.

The impact is primarily on availability, as the process hangs and becomes unresponsive, potentially leading to service outages or degraded performance.

There is no observed impact on confidentiality or integrity, meaning no data leakage or unauthorized data modification occurs due to this vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring for processes using facil.io or iodine that exhibit unusually high CPU usage, specifically pegging one CPU core at 100% during JSON parsing operations.

A practical detection method is to send crafted JSON payloads that trigger the infinite loop, such as minimal JSON inputs containing a bare 'i' or 'I' token inside arrays or objects, for example: `[i` or `{"a":i`.

You can test the vulnerability by sending HTTP POST requests with Content-Type: application/json containing these payloads to servers using facil.io or iodine.

  • Use curl to send a test payload: curl -X POST -H "Content-Type: application/json" -d '[i' http://target-server/
  • Monitor CPU usage with top or htop to detect if the process handling the JSON request spins at 100% CPU.
  • Check server logs for requests with malformed JSON that cause the parser to hang or never return.
Mitigation Strategies

The immediate mitigation step is to update facil.io and iodine to versions that include the patch fixing this vulnerability.

The patch modifies the JSON parser to detect and reject zero-character consumption during numeric parsing, preventing the infinite loop caused by invalid 'i' or 'I' tokens.

  • Upgrade facil.io to a version including commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later.
  • Upgrade iodine gem to version 0.7.58 or later, which includes the fixed vendored parser.

Until upgrades can be applied, consider implementing input validation or filtering to reject JSON inputs containing bare 'i' or 'I' tokens in arrays or objects.

Executive Summary

CVE-2026-41146 is a high-severity denial-of-service vulnerability in the facil.io C micro-framework and the downstream iodine Ruby gem, both of which share the same JSON parser code. The vulnerability occurs because the JSON parser enters an infinite loop when it encounters a nested JSON value starting with the character 'i' or 'I'.

Technically, the parser tries to parse such tokens as integers using a function that fails to advance the parsing position pointer. Since the parser does not move forward and does not detect an error, it loops indefinitely, causing the process to consume 100% CPU on one core without returning a parse error.

This infinite loop can be triggered by minimal JSON payloads such as `[i` or `{"a":i`. The parser also tolerates missing commas, which can lead to the same issue after quoted values.

A patch was applied to fix this by adding checks to ensure the parser does not accept tokens if the parsing pointer does not advance, thus preventing the infinite loop.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by making the affected application consume 100% CPU on one core indefinitely when parsing specially crafted JSON input.

Because the parser hangs in an infinite loop, the application or service using facil.io or iodine to parse JSON may become unresponsive or significantly degraded in performance.

There is no observed impact on confidentiality or integrity, but the availability of the service is highly impacted.

Detection Guidance

This vulnerability can be detected by monitoring for processes using 100% CPU on one core during JSON parsing operations involving facil.io or iodine. Specifically, sending crafted JSON payloads containing malformed nested JSON values starting with the character 'i' or 'I' can trigger the infinite loop.

A minimal test payload that triggers the issue is the JSON array: [i

You can test the vulnerability by sending HTTP POST requests with Content-Type: application/json containing such payloads to applications using facil.io or iodine.

For example, using curl to send a test payload to a suspected vulnerable server:

  • curl -X POST -H "Content-Type: application/json" -d '[i' http://target-server/path

If the server process hangs or CPU usage spikes to 100% on one core, it indicates the vulnerability is present.

Additionally, monitoring logs for JSON parsing errors or hangs during processing of JSON inputs starting with 'i' or 'I' can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update facil.io and iodine to versions that include the patch fixing this vulnerability.

The fix involves modifying the JSON parser to detect and reject zero-character consumption during numeric parsing, preventing the infinite loop.

Specifically, upgrade facil.io to a version including commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later, and similarly update iodine to version 0.7.58 or later.

Until updates can be applied, consider implementing input validation or filtering to block JSON payloads containing malformed nested values starting with 'i' or 'I'.

Also, monitor and limit CPU usage of processes parsing JSON to detect and mitigate denial-of-service attempts.

Executive Summary

CVE-2026-41146 is a high-severity denial-of-service vulnerability in the facil.io C micro-framework and the iodine Ruby gem, both of which share the same JSON parser code. The vulnerability occurs because the JSON parser enters an infinite loop when it encounters a nested JSON value starting with the character 'i' or 'I'.

Technically, the parser tries to parse such tokens as integers using a function that fails to advance the parsing position, causing the parser to get stuck in a loop without returning an error. This results in the process consuming 100% CPU on one core indefinitely.

The issue affects any application using facil.io or iodine that parses attacker-controlled JSON containing malformed tokens like '[i' or '{"a":i'. A patch was applied to detect and reject these invalid tokens to prevent the infinite loop.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by making the affected application consume 100% CPU on one core indefinitely when parsing specially crafted JSON input.

The impact is on availability, as the infinite loop prevents the application from processing further requests or tasks, potentially leading to service outages or degraded performance.

There is no observed impact on confidentiality or integrity, meaning data is not leaked or altered due to this vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring for processes using facil.io or iodine that exhibit unusually high CPU usage, specifically pegging one CPU core at 100% during JSON parsing operations.

A practical detection method is to send crafted JSON payloads that trigger the infinite loop, such as minimal JSON inputs containing bare 'i' or 'I' tokens inside arrays or objects, for example: `[i`, `{"a":i`, `[""i`, or `{"a":""i`.

You can test the vulnerability by sending these payloads via HTTP POST requests with Content-Type: application/json to services using facil.io or iodine JSON parsers and observing if the process hangs or CPU usage spikes.

Example command using curl to test a web service endpoint (replace <url> with target):

  • curl -X POST -H "Content-Type: application/json" -d '[i' <url>
  • curl -X POST -H "Content-Type: application/json" -d '{"a":i' <url>

Additionally, monitoring system tools like top, htop, or ps can help identify processes stuck in the infinite loop by their CPU usage.

Mitigation Strategies

The immediate mitigation step is to update facil.io and iodine to versions that include the patch fixing this vulnerability.

The fix involves modifying the JSON parser to detect and reject zero-character consumption during numeric parsing, preventing the infinite loop.

Specifically, upgrade facil.io to versions including commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later, and update iodine gem to version 0.7.58 or later.

If immediate upgrade is not possible, consider implementing input validation or filtering to block JSON inputs containing bare 'i' or 'I' tokens in arrays or objects before they reach the parser.

Monitor your systems for high CPU usage caused by JSON parsing and consider rate limiting or blocking suspicious requests that might exploit this vulnerability.

Executive Summary

CVE-2026-41146 is a high-severity denial-of-service vulnerability in the facil.io C micro-framework and the downstream iodine Ruby gem, both of which share the same JSON parser implementation.

The vulnerability occurs because the JSON parser enters an infinite loop when it encounters a nested JSON value starting with the character 'i' or 'I'. Specifically, the parser tries to parse these tokens as integers but fails to advance the parsing position, causing the parser to repeatedly process the same input without progress.

This infinite loop results in the process consuming 100% CPU on one core indefinitely, effectively causing a denial-of-service condition.

The issue arises from the parser's numeral handling logic, where zero-character consumption during numeric parsing is not treated as a failure, allowing invalid tokens like bare 'i' or 'I' to be accepted erroneously.

Minimal JSON payloads that trigger this bug include malformed inputs such as `[i`, `{"a":i`, `[""i`, and `{"a":""i`.

A patch was applied to fix this by adding checks to ensure the parser does not continue if the parsing position does not advance after attempting to parse a number.

Detection Guidance

This vulnerability can be detected by monitoring for processes using facil.io or iodine that exhibit unusually high CPU usage, specifically one CPU core pegged at 100% during JSON parsing operations.

A practical detection method is to send crafted JSON payloads that trigger the infinite loop, such as minimal JSON inputs containing a bare 'i' or 'I' token inside arrays or objects. Examples of such payloads include: `[i`, `{"a":i`, `[""i`, or `{"a":""i`.

You can test the vulnerability by issuing HTTP POST requests with these payloads to services using facil.io or iodine that accept JSON input. For example, using curl:

  • curl -X POST -H "Content-Type: application/json" -d '[i' http://target-service/
  • curl -X POST -H "Content-Type: application/json" -d '{"a":i' http://target-service/

If the service hangs or the CPU usage spikes to 100% on one core without returning an error, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to update facil.io and iodine to versions that include the patch fixing this vulnerability.

The patch modifies the JSON parser to detect and reject zero-character consumption during numeric parsing, preventing the infinite loop caused by invalid tokens like bare 'i' or 'I'.

Specifically, upgrade facil.io to versions including commit 5128747363055201d3ecf0e29bf0a961703c9fa0 or later, and similarly update iodine to version 0.7.58 or later where the fix is applied.

If immediate upgrading is not possible, consider implementing input validation or filtering to reject JSON inputs containing bare 'i' or 'I' tokens in arrays or objects before parsing.

Additionally, monitor system processes for abnormal CPU usage patterns that may indicate exploitation attempts.

Compliance Impact

CVE-2026-41146 is a denial-of-service vulnerability that causes high CPU usage and process hangs due to an infinite loop in JSON parsing. The vulnerability impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized data access, modification, or disclosure, it does not directly compromise data privacy or security controls required by standards such as GDPR or HIPAA.

However, the denial-of-service impact could affect system availability, which is a component of some compliance frameworks that require maintaining service availability and resilience.

Organizations relying on facil.io or iodine for JSON parsing should consider this vulnerability in their risk assessments and apply the patch to maintain compliance with availability requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41146. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart