Buffer Overflow in jq Command-Line JSON Processor
CVE-2026-41257

6.4MEDIUM

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-41257?

The jq command-line JSON processor has a vulnerability in its bytecode VM related to how the data stack tracks allocation size. In versions 1.8.1 and earlier, an integer overflow can occur when the stack exceeds roughly 1 GiB due to deeply nested generator forks. This can lead to the wrapped value being incorrectly passed to realloc, which subsequently affects a memmove operation using offsets influenced by an attacker. It poses a risk to data integrity and system security.

Affected Version(s)

jq <= 1.8.1

References

https://github.com/jqlang/jq/security/advisories/GHSA-4jm...

x_refsource_CONFIRM

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41257 Data

JSON

Jqlang

What is CVE-2026-41257?

Affected Version(s)

References

CVSS V4

Timeline