CVE-2026-41257

jq: Signed-int overflow in `stack_reallocate` (jq VM stack)

Published: 5/11/2026 Last updated: 5/11/2026 Reserved: 4/18/2026

jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	6.4	Medium	CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Opam packages affected (2)

conf-jq travis-opam

Products affected (1)

Product	Vendor	Version
jq	jqlang	10.1.2

References (2)

https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539
https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539