CVE-2026-41257
Heap Overflow in jq JSON Processor
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-41257 is a signed integer overflow in the jq command-line JSON processor's virtual machine stack management. Specifically, the jq VM's data stack uses a signed integer to track its allocation size. When the stack grows beyond approximately 1 GiB due to deeply nested generator forks, the arithmetic used to double the stack size overflows the signed integer limit.
This overflow causes the stack size value to wrap around to a smaller number, which is then passed to memory reallocation functions and used in memory move operations with offsets that can be influenced by an attacker. This can lead to heap corruption.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition through an out-of-memory (OOM) error if the stack overflow occurs. Under certain conditions, it can also lead to a heap write vulnerability, which may allow an attacker to corrupt memory and potentially execute arbitrary code or cause unexpected behavior in the jq process.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a signed integer overflow in the jq VM stack when processing deeply nested generator forks that cause the stack to grow beyond approximately 1 GiB.
Detection on a system would involve monitoring jq usage for unusually deep or complex JSON processing tasks that might trigger the stack growth beyond this limit.
There are no specific commands provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of jq on deeply nested JSON inputs that could cause the stack to grow beyond approximately 1 GiB.
Applying patches or updates that fix the vulnerability by changing the stack pointer and size variables to larger types (such as ptrdiff_t or int64_t) and implementing a hard cap on stack size is recommended.
If an updated version of jq is available that addresses this issue, upgrading to that version is the best immediate action.