Action not permitted
Modal body text goes here.
Modal Title
Modal Body
usn-8202-2
Vulnerability from osv_ubuntu
USN-8202-1 fixed vulnerabilities in jq. This update provides the corresponding update to Ubuntu 26.04 LTS.
Original advisory details:
It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-33948)
It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. (CVE-2026-39956)
It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue to leak sensitive information or cause a denial of service. (CVE-2026-39979)
It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-40164)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2026-32316",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-33947",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-33948",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-39956",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-39979",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2026-40164",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:26.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "USN-8202-1 fixed vulnerabilities in jq. This update provides the\ncorresponding update to Ubuntu 26.04 LTS.\n\nOriginal advisory details:\n\n It was discovered that jq did not correctly handle certain string\n concatenations. An attacker could possibly use this issue to cause a\n denial of service or execute arbitrary code. (CVE-2026-32316)\n\n It was discovered that jq did not correctly handle recursion in certain\n circumstances. An attacker could possibly use this issue to cause a denial\n of service. (CVE-2026-33947)\n\n It was discovered that jq did not correctly handle improperly terminated\n strings. An attacker could possibly use this issue to cause a denial of\n service or execute arbitrary code. (CVE-2026-33948)\n\n It was discovered that jq did not correctly handle checking certain\n variable types. An attacker could possibly use this issue to cause a\n denial of service or leak sensitive information. (CVE-2026-39956)\n\n It was discovered that jq did not correctly handle certain string\n formatting. An attacker could possibly use this issue to leak sensitive\n information or cause a denial of service. (CVE-2026-39979)\n\n It was discovered that jq used a fixed seed for hash table operations. An\n attacker could possibly use this issue to cause a denial of service.\n (CVE-2026-40164)",
"id": "USN-8202-2",
"modified": "2026-06-30T15:55:18Z",
"published": "2026-04-28T04:18:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32316"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-33947"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-33948"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-39956"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-39979"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-40164"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "jq vulnerabilities",
"upstream": [
"UBUNTU-CVE-2026-32316",
"UBUNTU-CVE-2026-33947",
"UBUNTU-CVE-2026-33948",
"UBUNTU-CVE-2026-39956",
"UBUNTU-CVE-2026-39979",
"UBUNTU-CVE-2026-40164"
]
}
ubuntu-cve-2026-32316
Vulnerability from osv_ubuntu
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.3-1.1ubuntu1.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm4?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2-8",
"1.3-1",
"1.3-1.1ubuntu1",
"1.3-1.1ubuntu1.1",
"1.3-1.1ubuntu1.1+esm3",
"1.3-1.1ubuntu1.1+esm4"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4-2.1",
"1.5+dfsg-1",
"1.5+dfsg-1ubuntu0.1",
"1.5+dfsg-1ubuntu0.1+esm2",
"1.5+dfsg-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-2ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2",
"1.5+dfsg-2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1ubuntu0.20.04.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2build1",
"1.6-1",
"1.6-1ubuntu0.20.04.1",
"1.6-1ubuntu0.20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-2.1ubuntu3.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-2.1ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-2.1ubuntu3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-2.1ubuntu2",
"1.6-2.1ubuntu3",
"1.6-2.1ubuntu3.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-3ubuntu0.24.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-3",
"1.7-1",
"1.7.1-2",
"1.7.1-3",
"1.7.1-3build1",
"1.7.1-3ubuntu0.24.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-3ubuntu1.1"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-3ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-3ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.1-3ubuntu1",
"1.7.1-6ubuntu1",
"1.8.1-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.",
"id": "UBUNTU-CVE-2026-32316",
"modified": "2026-05-20T15:27:20Z",
"published": "2026-04-13T18:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-32316"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32316"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
}
],
"related": [
"USN-8202-1",
"USN-8202-2"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-32316"
]
}
ubuntu-cve-2026-33947
Vulnerability from osv_ubuntu
jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.3-1.1ubuntu1.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm4?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3-1.1ubuntu1.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2-8",
"1.3-1",
"1.3-1.1ubuntu1",
"1.3-1.1ubuntu1.1",
"1.3-1.1ubuntu1.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4-2.1",
"1.5+dfsg-1",
"1.5+dfsg-1ubuntu0.1",
"1.5+dfsg-1ubuntu0.1+esm2",
"1.5+dfsg-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-2ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2",
"1.5+dfsg-2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1ubuntu0.20.04.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2build1",
"1.6-1",
"1.6-1ubuntu0.20.04.1",
"1.6-1ubuntu0.20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-2.1ubuntu3.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-2.1ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-2.1ubuntu3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-2.1ubuntu2",
"1.6-2.1ubuntu3",
"1.6-2.1ubuntu3.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-3ubuntu0.24.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-3",
"1.7-1",
"1.7.1-2",
"1.7.1-3",
"1.7.1-3build1",
"1.7.1-3ubuntu0.24.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-3ubuntu1.1"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-3ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-3ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.1-3ubuntu1",
"1.7.1-6ubuntu1",
"1.8.1-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq\u0027s src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq\u0027s setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.",
"id": "UBUNTU-CVE-2026-33947",
"modified": "2026-05-20T15:27:22Z",
"published": "2026-04-13T22:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-33947"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33947"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
}
],
"related": [
"USN-8202-1",
"USN-8202-2"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-33947"
]
}
ubuntu-cve-2026-33948
Vulnerability from osv_ubuntu
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4-2.1",
"1.5+dfsg-1",
"1.5+dfsg-1ubuntu0.1",
"1.5+dfsg-1ubuntu0.1+esm2",
"1.5+dfsg-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-2ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2",
"1.5+dfsg-2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1ubuntu0.20.04.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2build1",
"1.6-1",
"1.6-1ubuntu0.20.04.1",
"1.6-1ubuntu0.20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-2.1ubuntu3.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-2.1ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-2.1ubuntu3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-2.1ubuntu2",
"1.6-2.1ubuntu3",
"1.6-2.1ubuntu3.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-3ubuntu0.24.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-3",
"1.7-1",
"1.7.1-2",
"1.7.1-3",
"1.7.1-3build1",
"1.7.1-3ubuntu0.24.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-3ubuntu1.1"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-3ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-3ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.1-3ubuntu1",
"1.7.1-6ubuntu1",
"1.8.1-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.",
"id": "UBUNTU-CVE-2026-33948",
"modified": "2026-05-20T15:27:22Z",
"published": "2026-04-14T00:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-33948"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33948"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
}
],
"related": [
"USN-8202-1",
"USN-8202-2"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-33948"
]
}
ubuntu-cve-2026-39956
Vulnerability from osv_ubuntu
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4-2.1",
"1.5+dfsg-1",
"1.5+dfsg-1ubuntu0.1",
"1.5+dfsg-1ubuntu0.1+esm2",
"1.5+dfsg-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-2ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2",
"1.5+dfsg-2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1ubuntu0.20.04.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2build1",
"1.6-1",
"1.6-1ubuntu0.20.04.1",
"1.6-1ubuntu0.20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-2.1ubuntu3.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-2.1ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-2.1ubuntu3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-2.1ubuntu2",
"1.6-2.1ubuntu3",
"1.6-2.1ubuntu3.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-3ubuntu0.24.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-3",
"1.7-1",
"1.7.1-2",
"1.7.1-3",
"1.7.1-3build1",
"1.7.1-3ubuntu0.24.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-3ubuntu1.1"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-3ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-3ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.1-3ubuntu1",
"1.7.1-6ubuntu1",
"1.8.1-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq\u0027s src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.",
"id": "UBUNTU-CVE-2026-39956",
"modified": "2026-05-20T15:27:25Z",
"published": "2026-04-13T23:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-39956"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39956"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
}
],
"related": [
"USN-8202-1",
"USN-8202-2"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-39956"
]
}
ubuntu-cve-2026-39979
Vulnerability from osv_ubuntu
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.3-1.1ubuntu1.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm4?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3-1.1ubuntu1.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2-8",
"1.3-1",
"1.3-1.1ubuntu1",
"1.3-1.1ubuntu1.1",
"1.3-1.1ubuntu1.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4-2.1",
"1.5+dfsg-1",
"1.5+dfsg-1ubuntu0.1",
"1.5+dfsg-1ubuntu0.1+esm2",
"1.5+dfsg-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-2ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2",
"1.5+dfsg-2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1ubuntu0.20.04.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2build1",
"1.6-1",
"1.6-1ubuntu0.20.04.1",
"1.6-1ubuntu0.20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-2.1ubuntu3.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-2.1ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-2.1ubuntu3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-2.1ubuntu2",
"1.6-2.1ubuntu3",
"1.6-2.1ubuntu3.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-3ubuntu0.24.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-3",
"1.7-1",
"1.7.1-2",
"1.7.1-3",
"1.7.1-3build1",
"1.7.1-3ubuntu0.24.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-3ubuntu1.1"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-3ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-3ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.1-3ubuntu1",
"1.7.1-6ubuntu1",
"1.8.1-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.",
"id": "UBUNTU-CVE-2026-39979",
"modified": "2026-06-30T16:20:57Z",
"published": "2026-04-13T23:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-39979"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39979"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
}
],
"related": [
"USN-8202-1",
"USN-8202-2"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-39979"
]
}
ubuntu-cve-2026-40164
Vulnerability from osv_ubuntu
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
| URL | Type | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.3-1.1ubuntu1.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm4?arch=source\u0026distro=esm-infra-legacy/trusty"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.2-8",
"1.3-1",
"1.3-1.1ubuntu1",
"1.3-1.1ubuntu1.1",
"1.3-1.1ubuntu1.1+esm3",
"1.3-1.1ubuntu1.1+esm4"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-1ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.4-2.1",
"1.5+dfsg-1",
"1.5+dfsg-1ubuntu0.1",
"1.5+dfsg-1ubuntu0.1+esm2",
"1.5+dfsg-1ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5+dfsg-2ubuntu0.1~esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2",
"1.5+dfsg-2ubuntu0.1~esm1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-1ubuntu0.20.04.1+esm2"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source\u0026distro=esm-infra/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-1ubuntu0.20.04.1+esm2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5+dfsg-2build1",
"1.6-1",
"1.6-1ubuntu0.20.04.1",
"1.6-1ubuntu0.20.04.1+esm1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.6-2.1ubuntu3.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.6-2.1ubuntu3.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6-2.1ubuntu3.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-2.1ubuntu2",
"1.6-2.1ubuntu3",
"1.6-2.1ubuntu3.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
},
{
"binary_name": "libjq1",
"binary_version": "1.7.1-3ubuntu0.24.04.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1-3ubuntu0.24.04.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6-3",
"1.7-1",
"1.7.1-2",
"1.7.1-3",
"1.7.1-3build1",
"1.7.1-3ubuntu0.24.04.1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-3ubuntu1.1"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-3ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:25.10",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source\u0026distro=questing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-3ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.1-3ubuntu1",
"1.7.1-6ubuntu1",
"1.8.1-3ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "jq",
"binary_version": "1.8.1-4ubuntu2"
},
{
"binary_name": "libjq1",
"binary_version": "1.8.1-4ubuntu2"
}
]
},
"package": {
"ecosystem": "Ubuntu:26.04:LTS",
"name": "jq",
"purl": "pkg:deb/ubuntu/jq@1.8.1-4ubuntu2?arch=source\u0026distro=resolute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1-4ubuntu2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.8.1-3ubuntu1",
"1.8.1-4ubuntu1"
]
}
],
"aliases": [],
"details": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n\u00b2) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.",
"id": "UBUNTU-CVE-2026-40164",
"modified": "2026-06-30T16:20:58Z",
"published": "2026-04-14T00:16:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2026-40164"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40164"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29"
},
{
"type": "REPORT",
"url": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-8202-2"
}
],
"related": [
"USN-8202-1",
"USN-8202-2"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2026-40164"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.