Vulnerability-Lookup

RHSA-2026:29986

Vulnerability from csaf_redhat - Published: 2026-06-25 15:16 - Updated: 2026-06-27 08:44

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Moderate

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: jq: * jq-1.8.2-0.1.hum1 (aarch64, x86_64) * jq-devel-1.8.2-0.1.hum1 (aarch64, x86_64) * jq-1.8.2-0.1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-40612

A flaw was found in jq, a command line JSON processor. The `jv_contains` function does not have a depth limit when processing nested arrays or objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-41256

A flaw was found in jq, a command line JSON processor. Top-level jq programs loaded from a file using the `-f` flag are truncated at the first embedded NUL byte. This issue allows an attacker who can supply a crafted filter file to prematurely truncate the program, potentially bypassing filtering logic and modifying the integrity of the processed data.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-158 - Improper Neutralization of Null Byte or NUL Character

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-41257

A flaw was found in jq, a command line JSON processor. The memory allocation size is calculated using a signed integer that can overflow when processing deeply nested generator forks. This integer overflow allows an attacker who can supply a sufficiently nested input to influence the memory allocation size, causing an out-of-bounds write and an application crash, resulting in a denial of service.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-190 - Integer Overflow or Wraparound

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-43894

A flaw was found in jq, a tool used for processing JSON data from the command line. A remote attacker can exploit a vulnerability by providing a specially crafted large number as input. This can cause an internal calculation error, leading to a memory overflow where the attacker can write their own data into the system's memory, potentially resulting in the application crashing (Denial of Service).

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-190 - Integer Overflow or Wraparound

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix

Threats

Impact Moderate

CVE-2026-43895

A flaw was found in jq, a command line JSON processor. Embedded NUL bytes in import paths are truncated during module and data-file lookup, creating a mismatch between the intended import string and the actual file path opened. This issue allows an attacker who can supply a crafted script to access unintended files.

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-20 - Improper Input Validation

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-43896

A flaw was found in jq, a command line JSON processor. The `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects, does not have a depth limit when processing nested objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-674 - Uncontrolled Recursion

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-47770

A flaw was found in jq, a command-line JSON processor. This vulnerability allows a local user or an attacker providing malicious input to cause a denial of service (DoS) by comparing two sufficiently deeply nested arrays using the '==' operator. This action exhausts the C stack due to uncontrolled recursion, leading to a crash of the jq process.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

CVE-2026-54679

A flaw was found in jq, a command-line JSON processor. On 32-bit systems, a local attacker could exploit an integer overflow vulnerability in the `jvp_string_append` function. This could lead to a massive buffer overrun, resulting in a denial of service (DoS) condition.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-190 - Integer Overflow or Wraparound

Affected products

Fixed 3 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:jq-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:jq-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Moderate

References

52 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:29986	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-43895	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-41256	external
https://access.redhat.com/security/cve/CVE-2026-41257	external
https://access.redhat.com/security/cve/CVE-2026-43896	external
https://access.redhat.com/security/cve/CVE-2026-40612	external
https://access.redhat.com/security/cve/CVE-2026-47770	external
https://access.redhat.com/security/cve/CVE-2026-54679	external
https://access.redhat.com/security/cve/CVE-2026-43894	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-40612	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469183	external
https://www.cve.org/CVERecord?id=CVE-2026-40612	external
https://nvd.nist.gov/vuln/detail/CVE-2026-40612	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-41256	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469193	external
https://www.cve.org/CVERecord?id=CVE-2026-41256	external
https://nvd.nist.gov/vuln/detail/CVE-2026-41256	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-41257	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469187	external
https://www.cve.org/CVERecord?id=CVE-2026-41257	external
https://nvd.nist.gov/vuln/detail/CVE-2026-41257	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-43894	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469175	external
https://www.cve.org/CVERecord?id=CVE-2026-43894	external
https://nvd.nist.gov/vuln/detail/CVE-2026-43894	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-43895	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469199	external
https://www.cve.org/CVERecord?id=CVE-2026-43895	external
https://nvd.nist.gov/vuln/detail/CVE-2026-43895	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-43896	self
https://bugzilla.redhat.com/show_bug.cgi?id=2469184	external
https://www.cve.org/CVERecord?id=CVE-2026-43896	external
https://nvd.nist.gov/vuln/detail/CVE-2026-43896	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-47770	self
https://bugzilla.redhat.com/show_bug.cgi?id=2493034	external
https://www.cve.org/CVERecord?id=CVE-2026-47770	external
https://nvd.nist.gov/vuln/detail/CVE-2026-47770	external
https://github.com/jqlang/jq/security/advisories/…	external
https://access.redhat.com/security/cve/CVE-2026-54679	self
https://bugzilla.redhat.com/show_bug.cgi?id=2493030	external
https://www.cve.org/CVERecord?id=CVE-2026-54679	external
https://nvd.nist.gov/vuln/detail/CVE-2026-54679	external
https://github.com/jqlang/jq/security/advisories/…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\njq:\n  * jq-1.8.2-0.1.hum1 (aarch64, x86_64)\n  * jq-devel-1.8.2-0.1.hum1 (aarch64, x86_64)\n  * jq-1.8.2-0.1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:29986",
        "url": "https://access.redhat.com/errata/RHSA-2026:29986"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-43895",
        "url": "https://access.redhat.com/security/cve/CVE-2026-43895"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-41256",
        "url": "https://access.redhat.com/security/cve/CVE-2026-41256"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-41257",
        "url": "https://access.redhat.com/security/cve/CVE-2026-41257"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-43896",
        "url": "https://access.redhat.com/security/cve/CVE-2026-43896"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-40612",
        "url": "https://access.redhat.com/security/cve/CVE-2026-40612"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-47770",
        "url": "https://access.redhat.com/security/cve/CVE-2026-47770"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-54679",
        "url": "https://access.redhat.com/security/cve/CVE-2026-54679"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-43894",
        "url": "https://access.redhat.com/security/cve/CVE-2026-43894"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_29986.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-06-27T08:44:55+00:00",
      "generator": {
        "date": "2026-06-27T08:44:55+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.2.6"
        }
      },
      "id": "RHSA-2026:29986",
      "initial_release_date": "2026-06-25T15:16:12+00:00",
      "revision_history": [
        {
          "date": "2026-06-25T15:16:12+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-26T14:09:13+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-27T08:44:55+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jq-main@aarch64",
                "product": {
                  "name": "jq-main@aarch64",
                  "product_id": "jq-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jq@1.8.2-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jq-main@src",
                "product": {
                  "name": "jq-main@src",
                  "product_id": "jq-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jq@1.8.2-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "jq-main@x86_64",
                "product": {
                  "name": "jq-main@x86_64",
                  "product_id": "jq-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/jq@1.8.2-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jq-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:jq-main@aarch64"
        },
        "product_reference": "jq-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jq-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:jq-main@src"
        },
        "product_reference": "jq-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "jq-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:jq-main@x86_64"
        },
        "product_reference": "jq-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40612",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2026-05-11T18:02:00.323406+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469183"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command line JSON processor. The `jv_contains` function does not have a depth limit when processing nested arrays or objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: stack overflow via unbounded recursion in jv_contains",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq with the `jv_contains` function. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-40612"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469183",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469183"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-40612",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40612"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40612",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40612"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j"
        }
      ],
      "release_date": "2026-05-11T17:16:25.453000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Do not process untrusted input with the jq command line JSON processor.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: stack overflow via unbounded recursion in jv_contains"
    },
    {
      "cve": "CVE-2026-41256",
      "cwe": {
        "id": "CWE-158",
        "name": "Improper Neutralization of Null Byte or NUL Character"
      },
      "discovery_date": "2026-05-11T18:02:30.119017+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469193"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command line JSON processor. Top-level jq programs loaded from a file using the `-f` flag are truncated at the first embedded NUL byte. This issue allows an attacker who can supply a crafted filter file to prematurely truncate the program, potentially bypassing filtering logic and modifying the integrity of the processed data.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: embedded NUL truncates top-level jq programs loaded with -f",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this flaw, an attacker needs to supply a crafted filter file containing an embedded NUL byte to be loaded by jq using the `-f` flag. This allows the attacker to prematurely truncate the program, potentially bypassing intended filtering logic and modifying the integrity of the processed data. Due to these reasons, this issue has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-41256"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469193",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469193"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-41256",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-41256"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41256",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41256"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg"
        }
      ],
      "release_date": "2026-05-11T17:18:30.975000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Do not process untrusted filter files using the -f flag with the jq command line JSON processor.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: embedded NUL truncates top-level jq programs loaded with -f"
    },
    {
      "cve": "CVE-2026-41257",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2026-05-11T18:02:12.992356+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469187"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command line JSON processor. The memory allocation size is calculated using a signed integer that can overflow when processing deeply nested generator forks. This integer overflow allows an attacker who can supply a sufficiently nested input to influence the memory allocation size, causing an out-of-bounds write and an application crash, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: signed-int overflow in stack_reallocate",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq that triggers deeply nested generator forks. This allows the attacker to overflow the integer used to calculate memory size and cause an out-of-bounds write, effectively resulting in an application crash with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-41257"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469187",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469187"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-41257",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-41257"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-41257",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41257"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539"
        }
      ],
      "release_date": "2026-05-11T17:14:32.579000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Do not process untrusted input with the jq command line JSON processor.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: signed-int overflow in stack_reallocate"
    },
    {
      "cve": "CVE-2026-43894",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2026-05-11T18:01:34.839506+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469175"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a tool used for processing JSON data from the command line. A remote attacker can exploit a vulnerability by providing a specially crafted large number as input. This can cause an internal calculation error, leading to a memory overflow where the attacker can write their own data into the system\u0027s memory, potentially resulting in the application crashing (Denial of Service).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: jq: Arbitrary Code Execution or Denial of Service via Signed Integer Overflow",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-43894"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469175",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469175"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-43894",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-43894"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43894",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43894"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g"
        }
      ],
      "release_date": "2026-05-11T17:20:06.055000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: jq: Arbitrary Code Execution or Denial of Service via Signed Integer Overflow"
    },
    {
      "cve": "CVE-2026-43895",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2026-05-11T18:02:49.442174+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469199"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command line JSON processor. Embedded NUL bytes in import paths are truncated during module and data-file lookup, creating a mismatch between the intended import string and the actual file path opened. This issue allows an attacker who can supply a crafted script to access unintended files.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this flaw, an attacker needs to supply a crafted script containing embedded NUL bytes in import paths to be processed by jq. This allows the attacker to bypass intended path validation mechanisms and access unintended files. Due to these reasons, this issue has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-43895"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469199",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469199"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-43895",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-43895"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43895",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43895"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr"
        }
      ],
      "release_date": "2026-05-11T17:24:02.880000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Do not process untrusted scripts with the jq command line JSON processor.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts"
    },
    {
      "cve": "CVE-2026-43896",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2026-05-11T18:02:03.588021+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2469184"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command line JSON processor. The `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects, does not have a depth limit when processing nested objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: stack overflow in recursive object merge",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq with the `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-43896"
        },
        {
          "category": "external",
          "summary": "RHBZ#2469184",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2469184"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-43896",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-43896"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-43896",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43896"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846"
        }
      ],
      "release_date": "2026-05-11T17:24:48.149000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Do not process untrusted input with the jq command line JSON processor.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: stack overflow in recursive object merge"
    },
    {
      "cve": "CVE-2026-47770",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-06-25T18:02:08.763512+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2493034"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command-line JSON processor. This vulnerability allows a local user or an attacker providing malicious input to cause a denial of service (DoS) by comparing two sufficiently deeply nested arrays using the \u0027==\u0027 operator. This action exhausts the C stack due to uncontrolled recursion, leading to a crash of the jq process.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: jq: Denial of Service via deeply nested array comparison",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-47770"
        },
        {
          "category": "external",
          "summary": "RHBZ#2493034",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493034"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-47770",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47770"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-47770",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47770"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp"
        }
      ],
      "release_date": "2026-06-25T17:22:21.531000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: jq: Denial of Service via deeply nested array comparison"
    },
    {
      "cve": "CVE-2026-54679",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2026-06-25T18:01:50.223402+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2493030"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in jq, a command-line JSON processor. On 32-bit systems, a local attacker could exploit an integer overflow vulnerability in the `jvp_string_append` function. This could lead to a massive buffer overrun, resulting in a denial of service (DoS) condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:jq-main@aarch64",
          "Red Hat Hardened Images:jq-main@src",
          "Red Hat Hardened Images:jq-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-54679"
        },
        {
          "category": "external",
          "summary": "RHBZ#2493030",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493030"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-54679",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54679"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-54679",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54679"
        },
        {
          "category": "external",
          "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-29gj-222p-j7vx",
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-29gj-222p-j7vx"
        }
      ],
      "release_date": "2026-06-25T17:16:18.072000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-25T15:16:12+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:29986"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:jq-main@aarch64",
            "Red Hat Hardened Images:jq-main@src",
            "Red Hat Hardened Images:jq-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems"
    }
  ]
}

CVE-2026-40612 (GCVE-0-2026-40612)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:16 – Updated: 2026-05-11 18:23

Title

jq: Stack overflow via unbounded recursion in jv_contains

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

Severity

5.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40612",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T18:23:24.815066Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T18:23:27.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:16:25.453Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j"
        }
      ],
      "source": {
        "advisory": "GHSA-r7m6-x9c7-h69j",
        "discovery": "UNKNOWN"
      },
      "title": "jq: Stack overflow via unbounded recursion in jv_contains"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40612",
    "datePublished": "2026-05-11T17:16:25.453Z",
    "dateReserved": "2026-04-14T14:07:59.642Z",
    "dateUpdated": "2026-05-11T18:23:27.762Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41256 (GCVE-0-2026-41256)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:18 – Updated: 2026-06-23 15:51

Title

jq: Embedded NUL truncates top-level jq programs loaded with -f

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-158 - Improper Neutralization of Null Byte or NUL Character

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41256",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T20:12:56.609851Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T15:51:43.506Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \\x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-158",
              "description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:18:30.975Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg"
        }
      ],
      "source": {
        "advisory": "GHSA-vf2h-chrj-q3fg",
        "discovery": "UNKNOWN"
      },
      "title": "jq: Embedded NUL truncates top-level jq programs loaded with -f"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41256",
    "datePublished": "2026-05-11T17:18:30.975Z",
    "dateReserved": "2026-04-18T14:01:46.801Z",
    "dateUpdated": "2026-06-23T15:51:43.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-41257 (GCVE-0-2026-41257)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:14 – Updated: 2026-05-11 19:25

Title

jq: Signed-int overflow in `stack_reallocate` (jq VM stack)

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.

Severity

6.4 (Medium)


                        
                          CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow or Wraparound
CWE-787 - Out-of-bounds Write

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41257",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T19:25:55.560785Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T19:25:59.800Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM\u0027s data stack tracks its allocation size in a signed int. When the stack grows beyond \u22481 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:14:32.579Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539"
        }
      ],
      "source": {
        "advisory": "GHSA-4jm8-m363-4539",
        "discovery": "UNKNOWN"
      },
      "title": "jq: Signed-int overflow in `stack_reallocate` (jq VM stack)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41257",
    "datePublished": "2026-05-11T17:14:32.579Z",
    "dateReserved": "2026-04-18T14:01:46.801Z",
    "dateUpdated": "2026-05-11T19:25:59.800Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43894 (GCVE-0-2026-43894)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:20 – Updated: 2026-05-11 18:32

Title

jq: Wild stack write via signed-integer overflow in decNumber D2U() macro

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).

Severity

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43894",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-11T18:32:08.384699Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-11T18:32:43.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes \u2248715 million 16-bit units (\u22481.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:20:06.055Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g"
        }
      ],
      "source": {
        "advisory": "GHSA-5v7p-2r57-2g4g",
        "discovery": "UNKNOWN"
      },
      "title": "jq: Wild stack write via signed-integer overflow in decNumber D2U() macro"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43894",
    "datePublished": "2026-05-11T17:20:06.055Z",
    "dateReserved": "2026-05-04T15:17:09.330Z",
    "dateUpdated": "2026-05-11T18:32:43.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43895 (GCVE-0-2026-43895)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:24 – Updated: 2026-05-13 14:41

Title

jq: Embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

Severity

4.4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-20 - Improper Input Validation
CWE-158 - Improper Neutralization of Null Byte or NUL Character

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43895",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T12:49:39.558583Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:41:03.888Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-158",
              "description": "CWE-158: Improper Neutralization of Null Byte or NUL Character",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:24:02.880Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr"
        }
      ],
      "source": {
        "advisory": "GHSA-7q7g-mrq3-phxr",
        "discovery": "UNKNOWN"
      },
      "title": "jq: Embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43895",
    "datePublished": "2026-05-11T17:24:02.880Z",
    "dateReserved": "2026-05-04T15:17:09.330Z",
    "dateUpdated": "2026-05-13T14:41:03.888Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-43896 (GCVE-0-2026-43896)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:24 – Updated: 2026-05-12 16:15

Title

jq: Stack Overflow in Recursive Object Merge

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

Severity

6.2 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: <= 1.8.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43896",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-12T16:14:34.358878Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-12T16:15:17.281Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.8.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:24:48.149Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846"
        }
      ],
      "source": {
        "advisory": "GHSA-mg96-6h3q-g846",
        "discovery": "UNKNOWN"
      },
      "title": "jq: Stack Overflow in Recursive Object Merge"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43896",
    "datePublished": "2026-05-11T17:24:48.149Z",
    "dateReserved": "2026-05-04T15:17:09.331Z",
    "dateUpdated": "2026-05-12T16:15:17.281Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-47770 (GCVE-0-2026-47770)

Vulnerability from cvelistv5 – Published: 2026-06-25 17:22 – Updated: 2026-06-26 18:42

Title

jq: stack overflow in deep structural equality

Summary

jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.

Severity

6.8 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-674 - Uncontrolled Recursion

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: < 1.8.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-47770",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T17:50:44.688232Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T18:42:45.982Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq\u0027s ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq\u0027s recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from  the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context  where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-674",
              "description": "CWE-674: Uncontrolled Recursion",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T17:22:21.531Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp"
        }
      ],
      "source": {
        "advisory": "GHSA-3pgx-frr7-3jxp",
        "discovery": "UNKNOWN"
      },
      "title": "jq: stack overflow in deep structural equality"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47770",
    "datePublished": "2026-06-25T17:22:21.531Z",
    "dateReserved": "2026-05-19T22:36:16.882Z",
    "dateUpdated": "2026-06-26T18:42:45.982Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-54679 (GCVE-0-2026-54679)

Vulnerability from cvelistv5 – Published: 2026-06-25 17:16 – Updated: 2026-06-25 18:09

Title

jq: potential integer overflow in jvp_string_append

Summary

jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/jqlang/jq/security/advisories/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
jqlang	jq	Affected: < 1.8.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-54679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T18:01:37.317964Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T18:09:00.477Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jq",
          "vendor": "jqlang",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun.  This vulnerability is fixed in 1.8.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T17:16:18.072Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jqlang/jq/security/advisories/GHSA-29gj-222p-j7vx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jqlang/jq/security/advisories/GHSA-29gj-222p-j7vx"
        }
      ],
      "source": {
        "advisory": "GHSA-29gj-222p-j7vx",
        "discovery": "UNKNOWN"
      },
      "title": "jq: potential integer overflow in jvp_string_append"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-54679",
    "datePublished": "2026-06-25T17:16:18.072Z",
    "dateReserved": "2026-06-15T22:53:58.561Z",
    "dateUpdated": "2026-06-25T18:09:00.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:29986

CVE-2026-40612 (GCVE-0-2026-40612)

CVE-2026-41256 (GCVE-0-2026-41256)

CVE-2026-41257 (GCVE-0-2026-41257)

CVE-2026-43894 (GCVE-0-2026-43894)

CVE-2026-43895 (GCVE-0-2026-43895)

CVE-2026-43896 (GCVE-0-2026-43896)

CVE-2026-47770 (GCVE-0-2026-47770)

CVE-2026-54679 (GCVE-0-2026-54679)

Tags

Sightings

Nomenclature