CVE-2026-41257
Received Received - Intake
Heap Overflow in jq JSON Processor

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond β‰ˆ1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-20
NVD
CVE-2026-41257
EUVD
EUVD-2026-29163
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq to 1.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-41257 is a signed integer overflow in the jq command-line JSON processor's virtual machine stack management. Specifically, the jq VM's data stack uses a signed integer to track its allocation size. When the stack grows beyond approximately 1 GiB due to deeply nested generator forks, the arithmetic used to double the stack size overflows the signed integer limit.

This overflow causes the stack size value to wrap around to a smaller number, which is then passed to memory reallocation functions and used in memory move operations with offsets that can be influenced by an attacker. This can lead to heap corruption.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition through an out-of-memory (OOM) error if the stack overflow occurs. Under certain conditions, it can also lead to a heap write vulnerability, which may allow an attacker to corrupt memory and potentially execute arbitrary code or cause unexpected behavior in the jq process.

Detection Guidance

This vulnerability involves a signed integer overflow in the jq VM stack when processing deeply nested generator forks that cause the stack to grow beyond approximately 1 GiB.

Detection on a system would involve monitoring jq usage for unusually deep or complex JSON processing tasks that might trigger the stack growth beyond this limit.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of jq on deeply nested JSON inputs that could cause the stack to grow beyond approximately 1 GiB.

Applying patches or updates that fix the vulnerability by changing the stack pointer and size variables to larger types (such as ptrdiff_t or int64_t) and implementing a hard cap on stack size is recommended.

If an updated version of jq is available that addresses this issue, upgrading to that version is the best immediate action.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart