Back to search
CVE-2026-41257
Published: May 11, 2026
Modified: May 11, 2026
PUBLISHED
Description
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
| Vendor | Product | Versions |
|---|---|---|
jqlang | jq | affected <= 1.8.1 |
References
https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now