EUVD-2025-18920
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Lifecycle Timeline
4Description
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
Analysis
jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication.
Technical Context
A use-after-free vulnerability occurs when a program continues to use a pointer after the referenced memory has been freed, leading to undefined behavior. This vulnerability is classified as Use After Free (CWE-416).
Remediation
Use memory-safe languages. Implement proper object lifecycle management. Use static and dynamic analysis tools to detect UAF patterns.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| upstream | needs-triage | - |
| bionic | not-affected | - |
| focal | not-affected | - |
| jammy | not-affected | 1.6-2.1ubuntu3 |
| noble | not-affected | 1.7.1-3build1 |
| oracular | not-affected | 1.7.1-3build1 |
| plucky | not-affected | 1.7.1-3ubuntu1 |
| trusty | not-affected | - |
| xenial | not-affected | - |
Debian
Bug #1108062| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | not-affected | - | - |
| bullseye (security) | fixed | 1.6-2.1+deb11u1 | - |
| bookworm | not-affected | - | - |
| trixie | not-affected | - | - |
| forky, sid | fixed | 1.8.1-4 | - |
| (unstable) | fixed | 1.8.1-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today