Skip to main content

jq EUVDEUVD-2026-29163

| CVE-2026-41257 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-11 GitHub_M
6.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.1 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 11, 2026 - 18:46 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
6.4 (MEDIUM)
CVE Published
May 11, 2026 - 17:14 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.

AnalysisAI

Integer overflow in jq's bytecode VM data stack allocation tracking allows local attackers to corrupt heap memory and achieve arbitrary code execution or denial of service by crafting deeply nested JSON generator expressions that exceed ~1 GiB stack size. Affected versions: jq 1.8.1 and earlier. The vulnerability requires local file access and user interaction to trigger malicious jq expressions, but carries high impact potential due to memory corruption exploitability.

Technical ContextAI

jq is a command-line JSON processor that compiles input expressions to bytecode executed by a virtual machine. The bytecode VM maintains a data stack with allocation size tracked as a signed integer. When processing deeply nested generator forks (recursive JSON structures), the stack allocation grows exponentially via doubling. This doubling arithmetic overflows the signed int when stack size exceeds approximately 1 GiB, causing the wrapped (negative or small positive) value to be passed to the realloc() function. The subsequent memmove() operation then uses attacker-influenced offsets on the incorrectly-sized buffer, enabling heap corruption. The root cause is CWE-190 (Integer Overflow or Wraparound) in the allocation size calculation, compounded by insufficient bounds checking before memory operations.

RemediationAI

Upgrade jq to version 1.8.2 or later as soon as it becomes available from the jqlang project (https://github.com/jqlang/jq). Until a patched release is available, restrict execution of jq on untrusted JSON inputs by implementing input validation that rejects excessively nested structures (configure depth limits in jq filters using recursion depth guards or input pre-processing) and running jq in a restricted sandbox environment (e.g., containers with read-only filesystems, reduced memory limits via cgroups to prevent 1 GiB allocations) if processing partially-trusted data is unavoidable. Limit filesystem access to jq processes via SELinux or AppArmor policies. Monitor jq process memory consumption for anomalies. Note that these controls reduce but do not eliminate risk if the attacker controls the jq filter expression itself.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

EUVD-2026-29163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy