CVE-2026-41257
jq: Signed-int overflow in `stack_reallocate` (jq VM stack)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond โ1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.
| CWE | CWE-190 CWE-787 |
| Vendor | jqlang |
| Product | jq |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for jqlang jq
Be the first to know when new unknown vulnerabilities affecting jqlang jq are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
jqlang / jq
<= 1.8.1