CVE-2026-41257
published 2026-05-11CVE-2026-41257: jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows…
PriorityP422medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.14%
3.8th percentile
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.06.4MEDIUMCVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: signed-int overflow in stack_reallocate
vendor_redhat·2026-05-11·CVSS 6.4
CVE-2026-41257 [MEDIUM] CWE-190 jq: signed-int overflow in stack_reallocate
jq: signed-int overflow in stack_reallocate
A flaw was found in jq, a command line JSON processor. The memory allocation size is calculated using a signed integer that can overflow when processing deeply nested generator forks. This integer overflow allows an attacker who can supply a sufficiently nested input to influence the memory allocation size, causing an out-of-bounds write and an application crash, resulting in a denial of service.
Statement: To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq that triggers deeply nested generator forks. This allows the attacker to overflow the integer used to calculate memory size and cause an out-of-bounds write, effectively resulting in an application crash with no other security impact. Due to these r
VulDB
jqlang jq up to 1.8.1 integer overflow (GHSA-4jm8-m363-4539)
vuldb·2026-05-11·CVSS 6.4
CVE-2026-41257 [MEDIUM] jqlang jq up to 1.8.1 integer overflow (GHSA-4jm8-m363-4539)
A vulnerability described as problematic has been identified in jqlang jq up to 1.8.1. The impacted element is an unknown function. Executing a manipulation can lead to integer overflow.
This vulnerability is registered as CVE-2026-41257. The attack needs to be launched locally. No exploit is available.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41257 jq: signed-int overflow in stack_reallocate [fedora-all]
bugzilla·2026-05-13·CVSS 6.4
CVE-2026-41257 [MEDIUM] CVE-2026-41257 jq: signed-int overflow in stack_reallocate [fedora-all]
CVE-2026-41257 jq: signed-int overflow in stack_reallocate [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41257 jq: signed-int overflow in stack_reallocate
bugzilla·2026-05-11·CVSS 6.4
CVE-2026-41257 [MEDIUM] CVE-2026-41257 jq: signed-int overflow in stack_reallocate
CVE-2026-41257 jq: signed-int overflow in stack_reallocate
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
2026-05-11
Published