Heap Buffer Overflow Vulnerability in jq Command-Line JSON Processor
CVE-2026-49839

7.1HIGH

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 25 June 2026

What is CVE-2026-49839?

A heap buffer overflow vulnerability exists in jq, a command-line JSON processor, affecting versions prior to 1.8.2. This issue arises when using the '--rawfile' option, which can lead to an invalid state if an attacker controls the input file. The vulnerability occurs due to improper string handling when reading chunks from the file, causing jq to repeatedly append data beyond its limits. This improper handling can lead to heap-buffer-overflow conditions in builds without assertions, creating potential opportunities for exploitation.

Affected Version(s)

jq < 1.8.2

References

https://github.com/jqlang/jq/security/advisories/GHSA-cfh...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 1, 2026

CVE-2026-49839 Data

JSON

Jqlang

What is CVE-2026-49839?

Affected Version(s)

References

CVSS V3.1

Timeline