Main Vulnerability Database Vulnerabilities #VU126894

Double free in jq - #VU126894

Published: April 23, 2026

Vulnerability identifier: #VU126894

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-415

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: stedolan (Stephen Dolan)

Affected software:
jq

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to double free in the args2obj() function in src/execute.c when processing array arguments in the public jq_compile_args() API. A local user can supply a crafted array with 1 or more named argument entries to cause a denial of service.

The standard jq CLI binary is not affected because it passes an object rather than an array to args2obj().

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r

Double free in jq - #VU126894

Detailed vulnerability description

Remediation

Sources

Please verify you're human