CVE-2026-49839: CWE-787: Out-of-bounds Write in jqlang jq
jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.
AI Analysis
Technical Summary
CVE-2026-49839 is an out-of-bounds write vulnerability in jq prior to version 1.8.2. The flaw arises in the --rawfile processing path where jv_load_file(raw=1) appends file chunks to a string accumulator. When the string becomes too long, jv_string_append_buf() returns an invalid string object, but the loop continues appending to this invalid object. With assertions disabled, this results in a heap-buffer-overflow as detected by ASan. The vulnerability is addressed in jq 1.8.2.
Potential Impact
This vulnerability can cause a heap out-of-bounds write leading to potential memory corruption. The CVSS score of 7.1 indicates high severity with impact on integrity and availability. There is no indication of confidentiality impact. Exploitation requires local access with user interaction and low complexity.
Mitigation Recommendations
A fix is available in jq version 1.8.2. Users should upgrade to version 1.8.2 or later to remediate this vulnerability. No vendor advisory is provided, so patch status is based on the description stating the issue is fixed in 1.8.2.
CVE-2026-49839: CWE-787: Out-of-bounds Write in jqlang jq
Description
jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49839 is an out-of-bounds write vulnerability in jq prior to version 1.8.2. The flaw arises in the --rawfile processing path where jv_load_file(raw=1) appends file chunks to a string accumulator. When the string becomes too long, jv_string_append_buf() returns an invalid string object, but the loop continues appending to this invalid object. With assertions disabled, this results in a heap-buffer-overflow as detected by ASan. The vulnerability is addressed in jq 1.8.2.
Potential Impact
This vulnerability can cause a heap out-of-bounds write leading to potential memory corruption. The CVSS score of 7.1 indicates high severity with impact on integrity and availability. There is no indication of confidentiality impact. Exploitation requires local access with user interaction and low complexity.
Mitigation Recommendations
A fix is available in jq version 1.8.2. Users should upgrade to version 1.8.2 or later to remediate this vulnerability. No vendor advisory is provided, so patch status is based on the description stating the issue is fixed in 1.8.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-01T18:50:36.056Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d65db4853345fc13feb06
Added to database: 06/25/2026, 17:31:07 UTC
Last enriched: 06/25/2026, 17:45:54 UTC
Last updated: 06/25/2026, 18:31:23 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.