Description
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
Published: 2026-06-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in the jvp_string_append function of the jq JSON processor. On 32-bit systems, the function may overflow its integer and multiplier variables when processing input, which can lead to a massive buffer overrun. This overflow can corrupt adjacent memory, potentially resulting in arbitrary code execution or causing a crash that may disrupt service availability. The weakness is classified as CWE-190.

Affected Systems

All installations of jq prior to version 1.8.2 running on 32-bit architectures are affected. The vendor jqlang:jq released a fix in the 1.8.2 release. Any deployment that continues to use older jq binaries on 32-bit hardware must be identified and upgraded.

Risk and Exploitability

Based on the description, it is inferred that an attacker who can supply or influence input parsed by jq could potentially trigger the overflow. The likely attack vector would involve providing specially crafted JSON data that causes jvp_string_append to overflow. The CVSS score of 6.9 indicates a moderate to high severity impact. EPSS data is not available, so the likelihood of exploitation is not quantified. The vulnerability is not listed in the CISA KEV catalog. Without further information, the possibility of successful exploitation remains uncertain, but the existence of a buffer overrun implies that exploitation could lead to arbitrary code execution or denial of service if conditions are met.

Generated by OpenCVE AI on June 25, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jq to version 1.8.2 or later to apply the fix for the integer overflow in jvp_string_append.
  • If an upgrade cannot be performed immediately, run jq only on 64-bit systems or ensure that input processed by jq is strictly validated or sanitized to prevent large integer values.
  • Monitor affected environments for signs of memory corruption or crashes and plan a patch deployment as soon as possible, especially if untrusted JSON is processed.

Generated by OpenCVE AI on June 25, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
Title jq: potential integer overflow in jvp_string_append
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:09:00.477Z

Reserved: 2026-06-15T22:53:58.561Z

Link: CVE-2026-54679

cve-icon Vulnrichment

Updated: 2026-06-25T18:08:29.607Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T19:00:08Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound