jq versions 1.8.1 and earlier contain an integer overflow in the bytecode VM's data stack allocation size tracking, which uses a signed int. When the stack grows beyond about 1 GiB due to deeply nested generator forks, the doubling calculation overflows and wraps the allocation size. This incorrect size is passed to realloc and subsequently used in a memmove operation with attacker-controlled offsets, potentially leading to memory corruption.

The integer overflow can cause memory corruption due to incorrect memory allocation and copying operations. This may lead to undefined behavior, including crashes or potential exploitation scenarios. However, exploitation requires triggering deeply nested generator forks that cause the stack to grow beyond approximately 1 GiB. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should avoid processing JSON inputs that cause deeply nested generator forks leading to large stack growth. Monitor vendor communications for updates on patches or mitigations.