CVE-2026-54679
Undergoing Analysis Undergoing Analysis - In Progress
Heap Buffer Overflow in jq JSON Processor

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-54679
EUVD
EUVD-2026-39499
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
stedolan jq 1.8.2
jq jq 1.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the jq tool, specifically in the function jvp_string_append on 32-bit systems. When the combined length of an existing string and new data approaches the maximum integer value for 32-bit systems (INT_MAX), an integer overflow can occur during memory allocation.

The function attempts to allocate memory by doubling the size, but this calculation overflows the 32-bit size type, causing the program to allocate far less memory than needed (only 13 bytes instead of the required size). This leads to a massive heap buffer overflow when the program writes beyond the allocated memory.

This issue was fixed in jq version 1.8.2.

Impact Analysis

The vulnerability can cause a massive heap buffer overflow on 32-bit systems when using jq versions prior to 1.8.2. This can lead to memory corruption, which may cause the program to crash or behave unpredictably.

Although no proof-of-concept exploit has been developed yet, such memory corruption issues can potentially be exploited to execute arbitrary code or escalate privileges, depending on the context in which jq is used.

Detection Guidance

This vulnerability affects the jq tool on 32-bit systems prior to version 1.8.2. Detection involves verifying the version of jq installed on your system.

  • Run the command `jq --version` to check the installed version.
  • If the version is older than 1.8.2 on a 32-bit system, your jq installation is vulnerable.

No specific network detection commands or proof-of-concept exploits are available as per the advisory.

Mitigation Strategies

The immediate mitigation step is to upgrade jq to version 1.8.2 or later, where this integer overflow and buffer overflow vulnerability has been fixed.

If upgrading is not immediately possible, avoid processing untrusted or specially crafted JSON inputs with jq on 32-bit systems to reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart