jq processes JSON via a command-line tool. In versions up to 1.8.1, supplying a decimal literal with INT_MAX‒1 digits triggers an integer overflow in the decNumber D2U() macro. The overflow causes the function to bypass a heap‑allocation size check, use a 30‑byte stack buffer, and then write roughly 1.4 GiB of attacker‑controlled data at an offset well below the stack frame. The written content is derived directly from the parsed decimal digits, allowing the attacker to fabricate arbitrary data in the process memory. As a result, an attacker who can supply such input can corrupt stack memory, potentially leading to control‑flow hijack or denial of service.

The vendor “jqlang” provides the jq tool. Versions 1.8.1 and earlier are affected; newer releases are not listed as vulnerable in the advisory.

The CVSS score of 6.2 indicates a moderate severity vulnerability. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires the attacker to invoke jq with a specially crafted numeric literal, so the attack vector is likely local or based on untrusted input to jq. The resulting stack write can overwrite return addresses or control‑flow data, giving the attacker the ability to execute arbitrary code or crash the process. While remote exploitation is not explicitly described, any environment that allows untrusted data to reach jq is potentially at risk.