CVE-2026-54679
published 2026-06-25CVE-2026-54679: jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive…
PriorityP422medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.10%
1.2th percentile
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| ansible-automation-platform-27 | controller-rhel9 | — | — |
| ansible-automation-platform-27 | hub-rhel9 | — | — |
| jqlang | jq | < 1.8.2 | 1.8.2 |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
jqlang jq up to 1.8.1 integer overflow
vuldb·2026-06-25·CVSS 6.9
CVE-2026-54679 [MEDIUM] jqlang jq up to 1.8.1 integer overflow
A vulnerability described as problematic has been identified in jqlang jq up to 1.8.1. This affects an unknown part. The manipulation results in integer overflow.
This vulnerability is known as CVE-2026-54679. Attacking locally is a requirement. No exploit is available.
Upgrading the affected component is recommended.
Red Hat
jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems
vendor_redhat·2026-06-25·CVSS 6.9
CVE-2026-54679 [MEDIUM] CWE-190 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems
jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems
A flaw was found in jq, a command-line JSON processor. On 32-bit systems, a local attacker could exploit an integer overflow vulnerability in the `jvp_string_append` function. This could lead to a massive buffer overrun, resulting in a denial of service (DoS) condition.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Package: ansible-automation-platform-26/controller-rhel9 (Red Hat Ansible Automation Platform 2) - Fix deferred
Package: ansible-automation-platform-26/hub-rhel9 (Red Hat Ansible Automation Platf
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54679 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems
bugzilla·2026-06-25·CVSS 6.9
CVE-2026-54679 [MEDIUM] CVE-2026-54679 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems
CVE-2026-54679 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.
Bugzilla
CVE-2026-54679 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems [fedora-all]
bugzilla·2026-06-25·CVSS 6.9
CVE-2026-54679 [MEDIUM] CVE-2026-54679 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems [fedora-all]
CVE-2026-54679 jq: jq: Denial of Service via integer overflow and buffer overrun on 32-bit systems [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-25
Published