PT-2026-39711 · Jq · Jq

Califmonk

·

Published

2026-05-11

·

Updated

2026-07-07

·

CVE-2026-41257

CVSS v4.0

7.3

High

VectorAV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions jq versions prior to 1.8.2
Description The bytecode VM's data stack tracks its allocation size using a signed integer. When the stack grows beyond approximately 1 GiB through deeply nested generator forks, the doubling arithmetic overflows. This wrapped value is then passed to realloc and subsequently used in a memmove operation with offsets influenced by an attacker.
Recommendations Update to a version later than 1.8.1.

Exploit

Fix

Memory Corruption

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41257
ECHO-5CB6-067B-5460
GHSA-4JM8-M363-4539
OESA-2026-2424
OESA-2026-2425
OESA-2026-2426
OESA-2026-2427
OESA-2026-2487
OPENSUSE-SU-2026:10850-1
OPENSUSE-SU-2026:21248-1

Affected Products

Jq