Description
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
Published: 2026-05-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A signed integer overflow in jq’s bytecode VM stack allocation causes the stack size to wrap around when it exceeds roughly one gigabyte. The wrapped value is then passed to realloc and later used in a memmove with attacker‑influenced offsets, enabling the attacker to corrupt memory. This flaw is an integer overflow combined with a buffer overflow, which can lead to arbitrary memory corruption and potentially arbitrary code execution, as defined by CWE‑190 and CWE‑787.

Affected Systems

The affected product is jq from jqlang. Versions 1.8.1 and earlier are vulnerable. No other vendor or product versions are impacted according to the CNA information.

Risk and Exploitability

The overall CVSS score is 6.4, reflecting moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or author‑controlled use of jq; an attacker can supply deeply nested generator forks through command‑line input to trigger the overflow. The content of the input can influence the signed integer calculation and the subsequent memory operations, so the flaw is exploitable when the attacker controls or can influence the JSON data processed by jq.

Generated by OpenCVE AI on May 11, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update jq to a version newer than 1.8.1 that contains the fix for the signed‑int overflow in stack_reallocate.
  • If an update cannot be applied immediately, execute jq only with trusted, non‑privileged users and limit the size of input data to prevent deep nesting that would trigger the overflow.
  • Sanitize or validate any JSON input before passing it to jq, ensuring nested structures are bounded and do not rely on attacker‑controlled depth.

Generated by OpenCVE AI on May 11, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
Title jq: Signed-int overflow in `stack_reallocate` (jq VM stack)
Weaknesses CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T19:25:59.800Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41257

cve-icon Vulnrichment

Updated: 2026-05-11T19:25:46.119Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:34.127

Modified: 2026-05-11T20:25:41.877

Link: CVE-2026-41257

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:00:15Z

Weaknesses