CVE-2026-49839
Undergoing Analysis Undergoing Analysis - In Progress
Heap Out-of-Bounds Write in jq JSON Processor

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-49839
EUVD
EUVD-2026-39500
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
stedolan jq to 1.8.2 (inc)
jqlang jq to 1.8.2 (exc)
jqlang jq 1.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-49839 is a heap-buffer-overflow vulnerability in the jq command-line JSON processor affecting versions 1.8.1 and earlier. It occurs when using the --rawfile option with a file that is exactly one byte larger than the maximum allowed string length (2147483648 bytes).

The vulnerability arises because the error handling for oversized strings does not properly stop the file reading loop, causing subsequent data to be appended to an invalid object. In builds with assertions enabled, this causes an abort, but in assertion-disabled builds, it leads to a heap out-of-bounds write.

An attacker who controls the file processed with --rawfile can exploit this flaw to cause memory corruption.

Impact Analysis

This vulnerability can be exploited by an attacker to crash the jq process, leading to denial of service.

It can affect automation, continuous integration (CI) jobs, or data-processing pipelines that rely on jq, potentially disrupting operations.

Additionally, the heap out-of-bounds write can compromise data integrity during JSON processing.

Detection Guidance

This vulnerability occurs when using the jq command-line JSON processor with the --rawfile option on a specially crafted file that exceeds the maximum allowed string length. Detection involves identifying usage of vulnerable jq versions (1.8.1 and earlier) and monitoring for crashes or abnormal terminations of jq processes when processing files with --rawfile.

There are no specific detection commands provided in the resources. However, you can check the jq version installed on your system using the command:

  • jq --version

If the version is 1.8.1 or earlier, your system is vulnerable. Additionally, monitoring logs or automation pipelines for jq crashes or errors when processing JSON files with --rawfile may help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade jq to version 1.8.2 or later, where this heap-buffer-overflow vulnerability has been fixed.

Until the upgrade can be applied, avoid using the --rawfile option with untrusted or attacker-controlled files, especially those that may exceed the maximum allowed string length.

Additionally, consider enabling assertions in your jq builds if possible, as this causes the process to abort rather than silently corrupt memory, which may help in early detection of exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart