CVE-2026-43894
Heap Overflow in jq JSON Processor
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-43894 is a vulnerability in the jq command-line JSON processor, specifically affecting versions up to 1.8.1. It arises from a signed-integer overflow in the decNumber library's D2U() macro when processing a very large number literal with INT_MAX-1 (2147483646) digits.
This overflow causes the macro to produce a negative value that bypasses heap-allocation size checks, leading the function to use a small 30-byte stack buffer instead. Subsequently, the function writes approximately 715 million 16-bit units (around 1.4 GiB) of attacker-controlled data at an offset 1.43 GiB below the stack frame, potentially corrupting memory.
The vulnerability is triggered by using the tonumber function on a specially crafted string, not by raw JSON parsing. The root cause is the signed-integer overflow in arithmetic operations within the D2U() macro.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption or crashes in the jq tool when processing malicious input. Because the function writes a large amount of attacker-controlled data to a stack buffer, it can corrupt memory regions, potentially causing denial of service or unpredictable behavior depending on the system's memory layout.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability in jq can be detected by testing if the jq version in use is 1.8.1 or earlier, as these versions are affected.
Since the vulnerability is triggered by the tonumber function processing a string with INT_MAX-1 digits, a detection command can attempt to run jq with a crafted input that uses string repetition to create a large number string and applies tonumber.
An example command to test jq for this vulnerability could be:
- echo '"0" * 2147483646 | jq 'tonumber''
If jq crashes or behaves unexpectedly, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid using vulnerable versions of jq (1.8.1 and earlier) especially with untrusted input that might trigger the tonumber function on large numeric strings.
- Update jq to a version where the vulnerability is fixed, either by capping input length or modifying the D2U() macro to use unsigned or 64-bit arithmetic.
- If updating is not immediately possible, restrict or sanitize inputs to jq to prevent processing extremely large numeric strings.