{"schema_version":"1.7.2","id":"OESA-2026-2424","modified":"2026-05-22T13:21:43Z","published":"2026-05-22T13:21:43Z","upstream":["CVE-2026-40612","CVE-2026-41256","CVE-2026-41257","CVE-2026-43894","CVE-2026-43895","CVE-2026-43896","CVE-2026-44777"],"summary":"jq security update","details":"jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want.\r\n\r\nSecurity Fix(es):\n\njq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.(CVE-2026-40612)\n\njq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \\x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.(CVE-2026-41256)\n\njq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.(CVE-2026-41257)\n\njq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).(CVE-2026-43894)\n\njq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.(CVE-2026-43895)\n\njq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.(CVE-2026-43896)\n\njq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two\notherwise valid modules include each other.(CVE-2026-44777)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"jq","purl":"pkg:rpm/openEuler/jq&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0-4.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["jq-1.8.0-4.oe2003sp4.aarch64.rpm","jq-debuginfo-1.8.0-4.oe2003sp4.aarch64.rpm","jq-debugsource-1.8.0-4.oe2003sp4.aarch64.rpm","jq-devel-1.8.0-4.oe2003sp4.aarch64.rpm"],"noarch":["jq-help-1.8.0-4.oe2003sp4.noarch.rpm"],"src":["jq-1.8.0-4.oe2003sp4.src.rpm"],"x86_64":["jq-1.8.0-4.oe2003sp4.x86_64.rpm","jq-debuginfo-1.8.0-4.oe2003sp4.x86_64.rpm","jq-debugsource-1.8.0-4.oe2003sp4.x86_64.rpm","jq-devel-1.8.0-4.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2424"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40612"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41256"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41257"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43894"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43895"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43896"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44777"}],"database_specific":{"severity":"Medium"}}