CVE-2026-49839

Name of the Vulnerable Software and Affected Versions jq versions prior to 1.8.2

Description In assertion-disabled builds, the jq --rawfile command can lead to invalid-state reuse and a heap out-of-bounds write. This occurs when the jv load file(raw=1) function reads an attacker-controlled file and repeatedly appends chunks to a string accumulator. If the jv string append buf() function returns a "String too long" error, the loop continues to append subsequent file chunks to the already invalid object. This invalid object is then incorrectly interpreted as a string object, resulting in a heap-buffer-overflow.

Recommendations Update to version 1.8.2.