CVE-2026-41257

Name
CVE-2026-41257
Description
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:* jq >= None <= 1.8.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jq edge-main 1.8.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq edge-main 1.8.0-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq edge-main 1.7.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq edge-main 1.6_rc1-r0 None possibly vulnerable
jq 3.23-main 1.8.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq 3.22-main 1.8.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq 3.22-main 1.8.0-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq 3.22-main 1.7.1-r0 None possibly vulnerable
jq 3.22-main 1.6_rc1-r0 None possibly vulnerable
jq 3.21-main 1.7.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq 3.21-main 1.6_rc1-r0 None possibly vulnerable
jq 3.20-main 1.7.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq 3.20-main 1.6_rc1-r0 None possibly vulnerable
jq 3.19-main 1.7.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable
jq 3.19-main 1.6_rc1-r0 None possibly vulnerable