CVE-2026-49839 - Vulnerability Details

- jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow

Description

jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.

Published: 2026-06-25

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

jq’s handling of the --rawfile option can produce a heap‑buffer‑overflow in assertion‑disabled builds when an attacker supplies a file that causes the string accumulator to exceed its limits. The error handling recycles an invalid string object, allowing subsequent appends to write past the allocated memory. This out‑of‑bounds write can corrupt process memory, potentially leading to arbitrary code execution or program crashes. The flaw is a classic heap overflow identified as CWE‑787.

Affected Systems

The vulnerability affects the jq command‑line JSON processor from jqlang. Versions before 1.8.2 are impacted; the flaw is corrected in the 1.8.2 release and later. It is triggered when jq –‑rawfile reads a file that is controlled or crafted by an attacker.

Risk and Exploitability

The CVSS score of 7.1 indicates medium‑to‑high severity. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to supply a file path to jq –‑rawfile, which implies a local or privileged access vector. If the program is executed with assertions disabled—as is common in production builds—the flaw can be realized, making systems that use jq in automated scripts or services at notable risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jqlang

affected

Version	Status	Constraints
`< 1.8.2`	affected	—

No data.

Vendor Product Confidence Versions

Jqlang

100%

Version	Status	Scheme	Platform
`[0,1.8.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade jq to version 1.8.2 or later, which contains the necessary fix.
Avoid using the --rawfile option with input files that are not trusted or that may be under attacker control.
When jq must process external input, ensure that the input size is bounded and that jq is called in an environment that enables assertions or other runtime checks; otherwise restrict the use of --rawfile entirely to a secure context.

Generated by OpenCVE AI on June 25, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/jqlang/jq/security/advisories/GHSA-cfh2-vwfq-qfmm

History

Thu, 25 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jqlang Jqlang jq
Vendors & Products		Jqlang Jqlang jq

Thu, 25 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 25 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.
Title		jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow
Weaknesses		CWE-787
References		https://github.com/jqlang/jq/security/advisories/GHSA-cfh2-vwfq-qfmm
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}`

Subscriptions

Jqlang Jq

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T17:17:46.181Z

Updated: 2026-06-25T17:55:27.488Z

Reserved: 2026-06-01T18:50:36.056Z

Link: CVE-2026-49839

Vulnrichment

Updated: 2026-06-25T17:55:14.988Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T21:45:15Z

Weaknesses

CWE-787
Out-of-bounds Write

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object