SB2026042336 - Multiple vulnerabilities in jq

Description

This security bulletin contains information about 5 vulnerabilities.

1) Use-after-free (CVE-ID: N/A)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to use-after-free in the args2obj() function in src/execute.c when processing array arguments in the public jq_compile_args() API. A local user can supply a crafted array with 2 or more named argument entries to execute arbitrary code.

The standard jq CLI binary is not affected because it passes an object rather than an array to args2obj().

2) Double free (CVE-ID: N/A)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in the args2obj() function in src/execute.c when processing array arguments in the public jq_compile_args() API. A local user can supply a crafted array with 1 or more named argument entries to cause a denial of service.

The standard jq CLI binary is not affected because it passes an object rather than an array to args2obj().

3) Integer overflow (CVE-ID: CVE-2026-41257)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to integer overflow in stack_reallocate in the jq VM stack when processing deeply nested generator forks. A local user can supply crafted jq input to trigger signed integer overflow and abort the process to cause a denial of service.

In the observed case, the wrapped allocation size causes memory allocation failure and process abort. A small positive truncation may also lead to a wild memmove write before the buffer.

4) Uncontrolled Recursion (CVE-ID: CVE-2026-40612)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to uncontrolled recursion in jv_contains when processing deeply nested arrays or objects through contains() or inside(). A local user can supply a specially crafted nested input structure to cause a denial of service.

In libjq embedded in larger applications, exploitation may corrupt adjacent memory on systems without stack guard pages or with heap-allocated thread stacks.

5) Improper Neutralization of Null Byte or NUL Character (CVE-ID: CVE-2026-41256)

CWE-ID: CWE-158 - Improper Neutralization of Null Byte or NUL Character

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass intended jq program integrity checks.

The vulnerability exists due to improper neutralization of null byte or NUL character in the top-level jq program compilation path when loading a jq program from a file with -f. A remote attacker can supply a crafted filter file containing an embedded NUL byte to bypass intended jq program integrity checks.

User interaction is required to run jq with the crafted filter file.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r
• https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539
• https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j
• https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg