Skip to main content

jq CVE-2026-43894

| EUVDEUVD-2026-29172 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-11 GitHub_M
6.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.2 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVE Published
May 11, 2026 - 17:20 nvd
MEDIUM 6.2

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).

AnalysisAI

Buffer overflow in jq 1.8.1 and earlier allows local attackers to cause denial of service by providing a crafted JSON number literal with INT_MAX-1 (2147483646) digits, triggering integer overflow in the D2U() macro that bypasses heap-allocation checks and writes approximately 1.4 GiB of attacker-controlled data to the stack, corrupting memory far below the stack frame.

Technical ContextAI

jq is a command-line JSON processor that parses and manipulates JSON data. The vulnerability exists in the decNumberFromString function, which processes numeric literals from JSON input. The root cause is an integer overflow in the D2U() macro during signed-int arithmetic when computing allocation sizes for the decimal number parser. The macro converts a digit count to a unit count but overflows when given INT_MAX-1 digits, producing a wrapped negative value. This negative value passes the heap-allocation size check (which compares against a positive threshold), allowing the function to incorrectly use a 30-byte stack buffer instead of allocating appropriate heap memory. The subsequent write loop then interprets the wrapped value as a legitimate count and writes approximately 715 million 16-bit units (1.4 GiB) of parsed decimal digits at memory offsets far below the stack frame, causing severe memory corruption. CWE-190 (Integer Overflow or Wraparound) describes the underlying defect.

RemediationAI

Upgrade jq to version 1.8.2 or later, which patches the integer overflow in the D2U() macro. Users unable to immediately upgrade should restrict the parsing of JSON input from untrusted sources or implement size limits on input files to prevent the delivery of multi-gigabyte number literals. However, this is not a reliable workaround since even partial input validation is difficult without parsing the JSON first. The primary remediation is vendor patch adoption; check GitHub Security Advisory GHSA-5v7p-2r57-2g4g for confirmation of the patched version.

More in Jq

View all
CVE-2024-53427 HIGH POC
8.1 Feb 26

decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which ha

CVE-2015-8863 CRITICAL
9.8 May 06

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (cras

CVE-2025-48060 HIGH POC
7.7 May 21

jq is a command-line JSON processor. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no auth

CVE-2016-4074 HIGH POC
7.5 May 06

The jv_dump_term function in jq 1.5 allows remote attackers to cause a denial of service (stack consumption and applicat

CVE-2023-49355 HIGH POC
7.5 Dec 11

decToString in decNumber/decNumber.c in jq 88f01a7 has a one-byte out-of-bounds write via the " []-1.2e-1111111111" inpu

CVE-2023-50268 MEDIUM POC
5.5 Dec 13

jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ

CVE-2023-50246 MEDIUM POC
5.5 Dec 13

jq is a command-line JSON processor. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Publ

CVE-2026-32316 HIGH
8.2 Apr 13

Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attack

CVE-2026-49839 HIGH
7.1

Out-of-bounds write in the jq command-line JSON processor (CWE-787) lets a crafted JSON input corrupt memory when parsed

CVE-2026-54679 MEDIUM
6.9

jq, the command-line JSON processor, was patched in Alpine Linux with package version 1.8.2-r0. The specific vulnerabili

CVE-2026-39979 MEDIUM
6.9 Apr 13

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() AP

CVE-2026-47770 MEDIUM
6.8

jq on Alpine Linux was patched in package version 1.8.2-r0, addressing an unspecified vulnerability. The nature of the f

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-43894 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy