CVE-2026-49839

HIGH 7.1

jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.

CWE	CWE-787
Vendor	jqlang
Product	jq
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for jqlang jq

Be the first to know when new high vulnerabilities affecting jqlang jq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

jqlang / jq

< 1.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jqlang/jq/security/advisories/GHSA-cfh2-vwfq-qfmm