ChangZhuo Chen uploaded new packages for jq which fixed the
following security problems:
CVE-2026-32316
jq is a command-line JSON processor. An integer overflow vulnerability
exists through version 1.8.1 within the jvp_string_append() and
jvp_string_copy_replace_bad functions, where concatenating strings with
a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer
overflow in the buffer allocation size calculation, resulting in a
drastically undersized heap buffer. Subsequent memory copy operations
then write the full string data into this undersized buffer, causing a
heap buffer overflow classified as CWE-190 (Integer Overflow) leading to
CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq
queries is affected, as an attacker can crash the process or potentially
achieve further exploitation through heap corruption by crafting queries
that produce extremely large strings. The root cause is the absence of
string size bounds checking, unlike arrays and objects which already
have size limits. The issue has been addressed in commit
e47e56d226519635768e6aab2f38f0ab037c09e5.
CVE-2026-33947
jq is a command-line JSON processor. In versions 1.8.1 and below,
functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's
src/jv_aux.c use unbounded recursion whose depth is controlled by the
length of a caller-supplied path array, with no depth limit enforced. An
attacker can supply a JSON document containing a flat array of ~65,000
integers (~200 KB) that, when used as a path argument by a trusted jq
filter, exhausts the C call stack and crashes the process with a
segmentation fault (SIGSEGV). This bypass works because the existing
MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not
runtime path operations where arrays can be programmatically constructed
to arbitrary lengths. The impact is denial of service (unrecoverable
crash) affecting any application or service that processes untrusted
JSON input through jq's setpath, getpath, or delpaths builtins. This
issue has been addressed in commit
fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
CVE-2026-33948
jq is a command-line JSON processor. Commits before
6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where
CLI input parsing allows validation bypass via embedded NUL bytes. When
reading JSON from files or stdin, jq uses strlen() to determine buffer
length instead of the actual byte count from fgets(), causing it to
truncate input at the first NUL byte and parse only the preceding
prefix. This enables an attacker to craft input with a benign JSON
prefix before a NUL byte followed by malicious trailing data, where jq
validates only the prefix as valid JSON while silently discarding the
suffix. Workflows relying on jq to validate untrusted JSON before
forwarding it to downstream consumers are susceptible to parser
differential attacks, as those consumers may process the full input
including the malicious trailing bytes. This issue has been patched by
commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
CVE-2026-39956
jq is a command-line JSON processor. In commits after
69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in
jq's src/builtin.c passes its arguments directly to jv_string_indexes()
without verifying they are strings, and jv_string_indexes() in src/jv.c
relies solely on assert() checks that are stripped in release builds
compiled with -DNDEBUG. This allows an attacker to crash jq trivially
with input like _strindices(0), and by crafting a numeric value whose
IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled
pointer dereference and limited memory read/probe primitive. Any
deployment that evaluates untrusted jq filters against a release build
is vulnerable. This issue has been patched in commit
fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
CVE-2026-39979
jq is a command-line JSON processor. In commits before
2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in
libjq accepts a counted buffer with an explicit length parameter, but
its error-handling path formats the input buffer using %s in
jv_string_fmt(), which reads until a NUL terminator is found rather than
respecting the caller-supplied length. This means that when malformed
JSON is passed in a non-NUL-terminated buffer, the error construction
logic performs an out-of-bounds read past the end of the buffer. The
vulnerability is reachable by any libjq consumer calling
jv_parse_sized() with untrusted input, and depending on memory layout,
can result in memory disclosure or process termination. The issue has
been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit
0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a
hardcoded, publicly visible seed (0x432A9843) for all JSON object hash
table operations, which allowed an attacker to precompute key collisions
offline. By supplying a crafted JSON object (~100 KB) where all keys
hashed to the same bucket, hash table lookups degraded from O(1) to
O(n), turning any jq expression into an O(n²) operation and causing
significant CPU exhaustion. This affected common jq use cases such as
CI/CD pipelines, web services, and data processing scripts, and was far
more practical to exploit than existing heap overflow issues since it
required only a small payload. This issue has been patched in commit
0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
CVE-2026-40612
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains
recurses into nested arrays/objects with no depth limit. With a
sufficiently nested input structure (built programmatically with reduce,
since the JSON parser caps at depth 10000), the C stack is exhausted.
CVE-2026-41256
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq
programs loaded from a file with -f are truncated at the first embedded
NUL byte on current upstream HEAD. A crafted filter file such as .
followed by \x00 and arbitrary suffix compiles and executes as only the
prefix before the NUL. This leaves jq with a post-CVE-2026-33948
prefix/full-buffer mismatch on the compilation path even though the JSON
parser path has already been fixed.
CVE-2026-41257
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq
bytecode VM's data stack tracks its allocation size in a signed int.
When the stack grows beyond ≈1 GiB (via deeply nested generator forks),
the doubling arithmetic overflows. The wrapped value is passed to
realloc and then used for a memmove with attacker-influenced offsets.
CVE-2026-43894
jq is a command-line JSON processor. In 1.8.1 and earlier, when
decNumberFromString is given a number literal of INT_MAX-1 (2147483646)
digits, the D2U() macro overflows during signed-int arithmetic. The
wrapped negative value bypasses the heap-allocation size check, causes
the function to use a 30-byte stack buffer, and then writes ≈715 million
16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The
written content is fully attacker-controlled (the parsed decimal digits,
packed 3-per-unit).
CVE-2026-43895
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts
embedded NUL bytes in import paths at the jq-language level, but later
resolves those paths through C string operations during module and
data-file lookup. This creates a mismatch between the logical import
string that policy or audit code may validate and the on-disk path that
jq actually opens.
CVE-2026-43896
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded
recursion in jv_object_merge_recursive() allows a crafted jq program to
crash the process with a segfault. The function is reachable through the
* operator when both operands are objects.
CVE-2026-44777
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the
ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other.
For the bookworm-backports distribution the problems have been fixed in
version 1.8.1-6~bpo12+1.
For the trixie-backports distribution the problems have been fixed in
version 1.8.1-6~bpo13+1.