CVE-2026-43894
Received Received - Intake
Heap Overflow in jq JSON Processor

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes β‰ˆ715 million 16-bit units (β‰ˆ1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-43894
EUVD
EUVD-2026-29172
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq to 1.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-43894 is a vulnerability in the jq command-line JSON processor, specifically affecting versions up to 1.8.1. It arises from a signed-integer overflow in the decNumber library's D2U() macro when processing a very large number literal with INT_MAX-1 (2147483646) digits.

This overflow causes the macro to produce a negative value that bypasses heap-allocation size checks, leading the function to use a small 30-byte stack buffer instead. Subsequently, the function writes approximately 715 million 16-bit units (around 1.4 GiB) of attacker-controlled data at an offset 1.43 GiB below the stack frame, potentially corrupting memory.

The vulnerability is triggered by using the tonumber function on a specially crafted string, not by raw JSON parsing. The root cause is the signed-integer overflow in arithmetic operations within the D2U() macro.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to memory corruption or crashes in the jq tool when processing malicious input. Because the function writes a large amount of attacker-controlled data to a stack buffer, it can corrupt memory regions, potentially causing denial of service or unpredictable behavior depending on the system's memory layout.

Detection Guidance

This vulnerability in jq can be detected by testing if the jq version in use is 1.8.1 or earlier, as these versions are affected.

Since the vulnerability is triggered by the tonumber function processing a string with INT_MAX-1 digits, a detection command can attempt to run jq with a crafted input that uses string repetition to create a large number string and applies tonumber.

An example command to test jq for this vulnerability could be:

  • echo '"0" * 2147483646 | jq 'tonumber''

If jq crashes or behaves unexpectedly, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid using vulnerable versions of jq (1.8.1 and earlier) especially with untrusted input that might trigger the tonumber function on large numeric strings.
  • Update jq to a version where the vulnerability is fixed, either by capping input length or modifying the D2U() macro to use unsigned or 64-bit arithmetic.
  • If updating is not immediately possible, restrict or sanitize inputs to jq to prevent processing extremely large numeric strings.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart