{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41244", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-18T03:47:03.135Z", "datePublished": "2026-04-24T19:11:54.892Z", "dateUpdated": "2026-04-24T19:59:59.355Z"}, "containers": {"cna": {"title": "Mojic: Observable Timing Discrepancy in HMAC Verification", "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "lang": "en", "description": "CWE-208: Observable Timing Discrepancy", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"}], "affected": [{"vendor": "notamitgamer", "product": "mojic", "versions": [{"version": "< 2.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:11:54.892Z"}, "descriptions": [{"lang": "en", "value": "Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4."}], "source": {"advisory": "GHSA-wqq3-wfmp-v85g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T19:59:29.940685Z", "id": "CVE-2026-41244", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T19:59:59.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41244", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T19:59:29.940685Z"}}}], "references": [{"url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T19:59:56.082Z"}}], "cna": {"title": "Mojic: Observable Timing Discrepancy in HMAC Verification", "source": {"advisory": "GHSA-wqq3-wfmp-v85g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "notamitgamer", "product": "mojic", "versions": [{"status": "affected", "version": "< 2.1.4"}]}], "references": [{"url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g", "name": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208: Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:11:54.892Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41244", "state": "PUBLISHED", "dateUpdated": "2026-04-24T19:59:59.355Z", "dateReserved": "2026-04-18T03:47:03.135Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T19:11:54.892Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack. This vulnerability is fixed in 2.1.4."}], "id": "CVE-2026-41244", "lastModified": "2026-04-28T21:18:07.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T20:16:26.957", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "mojic", "source": "cna", "vendor": "notamitgamer"}, "product": "mojic", "vendor": "notamitgamer"}], "analysis": {"en": {"generated_at": "2026-04-28T13:35:38.157004+00:00", "value": {"mitigation_remediation": ["Upgrade Mojic to version 2.1.4 or later, which replaces the standard equality comparison with a proper constant\u2011time HMAC check.", "Remove or disable older Mojic binaries from the system to prevent accidental execution of the vulnerable code.", "Limit the CLI to trusted users or restrict file input to authenticated, verified sources, and consider implementing additional integrity checks if older versions must remain in use."], "summary": {"action": "Update", "impact": "Integrity Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Mojic CLI distributed by the notamitgamer project, specifically all releases older than 2.1.4. Users who continue to run these earlier versions are subject to the risk until they upgrade.", "description_and_impact": "Mojic, a command\u2011line tool that converts C source into a stream of emojis, verifies file integrity by comparing an HMAC\u2011SHA256 seal during decryption. In versions prior to 2.1.4 the comparison uses a standard equality operator (!==), which results in a measurable timing discrepancy (CWE\u2011208). This side\u2011channel can be exploited to gain knowledge about the HMAC value and ultimately allow an attacker to bypass the integrity check, letting forged files be processed as if they were authentic.", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply crafted inputs to the decryption routine and measure timing differences, which is more feasible in environments where the CLI is exposed to untrusted data or where an attacker can read the tool\u2019s timing output. Because no remote code execution or privilege escalation is achieved, the impact is limited to compromising file authenticity."}}}}, "created": "2026-04-27T19:52:52.031346+00:00", "updated": "2026-04-28T13:45:06.133048+00:00", "vendors": ["notamitgamer", "notamitgamer$PRODUCT$mojic"]}