Skip to main content

Ubuntu CVE-2025-49014

| EUVDEUVD-2025-18920 MEDIUM
Use After Free (CWE-416)
2025-06-19 security-advisories@github.com
5.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Ubuntu
MEDIUM
qualitative
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 00:08 euvd
EUVD-2025-18920
Analysis Generated
Mar 15, 2026 - 00:08 vuln.today
CVE Published
Jun 19, 2025 - 15:15 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

Analysis

jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.

Technical ContextAI

A use-after-free vulnerability occurs when a program continues to use a pointer after the referenced memory has been freed, leading to undefined behavior. This vulnerability is classified as Use After Free (CWE-416).

RemediationAI

Use memory-safe languages. Implement proper object lifecycle management. Use static and dynamic analysis tools to detect UAF patterns.

Vendor StatusVendor

Ubuntu

Priority: Medium
jq
Release Status Version
upstream needs-triage -
bionic not-affected -
focal not-affected -
jammy not-affected 1.6-2.1ubuntu3
noble not-affected 1.7.1-3build1
oracular not-affected 1.7.1-3build1
plucky not-affected 1.7.1-3ubuntu1
trusty not-affected -
xenial not-affected -

Debian

Bug #1108062
jq
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 1.6-2.1+deb11u1 -
bookworm not-affected - -
trixie not-affected - -
forky, sid fixed 1.8.1-4 -
(unstable) fixed 1.8.1-1 -

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed

Share

CVE-2025-49014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy