CVE-2026-43894
published 2026-05-11CVE-2026-43894: jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro…
PriorityP423medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.16%
5.4th percentile
jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat6.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: jq: Arbitrary Code Execution or Denial of Service via Signed Integer Overflow
vendor_redhat·2026-05-11·CVSS 6.2
CVE-2026-43894 [MEDIUM] CWE-190 jq: jq: Arbitrary Code Execution or Denial of Service via Signed Integer Overflow
jq: jq: Arbitrary Code Execution or Denial of Service via Signed Integer Overflow
A flaw was found in jq, a tool used for processing JSON data from the command line. A remote attacker can exploit a vulnerability by providing a specially crafted large number as input. This can cause an internal calculation error, leading to a memory overflow where the attacker can write their own data into the system's memory, potentially resulting in the application crashing (Denial of Service).
Package: ansible-automation-platform-26/controller-rhel9 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-26/hub-rhel9 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: automation-controller (Red Hat Ansible Automation Platform 2) - Out of support scope
VulDB
jqlang jq up to 1.8.1 D2U integer overflow (GHSA-5v7p-2r57-2g4g)
vuldb·2026-05-11·CVSS 6.2
CVE-2026-43894 [MEDIUM] jqlang jq up to 1.8.1 D2U integer overflow (GHSA-5v7p-2r57-2g4g)
A vulnerability has been found in jqlang jq up to 1.8.1 and classified as problematic. Affected by this issue is the function D2U. Performing a manipulation results in integer overflow.
This vulnerability is known as CVE-2026-43894. Attacking locally is a requirement. No exploit is available.
No detection rules found.
No public exploits indexed.
2026-05-11
Published