Main Vulnerability Database Vulnerabilities #VU126893

Use-after-free in jq - #VU126893

Published: April 23, 2026

Vulnerability identifier: #VU126893

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: stedolan (Stephen Dolan)

Affected software:
jq

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to use-after-free in the args2obj() function in src/execute.c when processing array arguments in the public jq_compile_args() API. A local user can supply a crafted array with 2 or more named argument entries to execute arbitrary code.

The standard jq CLI binary is not affected because it passes an object rather than an array to args2obj().

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r

Use-after-free in jq - #VU126893

Detailed vulnerability description

Remediation

Sources

Please verify you're human