Bug 2494564 - CVE-2026-49839 jq: jq: Heap out-of-bounds write via oversized raw file processing [fedora-all]
Summary: CVE-2026-49839 jq: jq: Heap out-of-bounds write via oversized raw file proces...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: jq
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Jonathan Wright
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["21972bec-0ae8-4074-9a69-5...
Depends On:
Blocks: CVE-2026-49839
TreeView+ depends on / blocked
 
Reported: 2026-06-29 18:21 UTC by Jon Weiser
Modified: 2026-06-29 18:21 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jon Weiser 2026-06-29 18:21:05 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

jq is a command-line JSON processor. Prior to 1.8.2,` jq --rawfile` can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jv_load_file(raw=1) reads an attacker-controlled file, it repeatedly appends file chunks to the same jv string accumulator. Once jv_string_append_buf() returns jv_invalid_with_msg("String too long"), the raw-file loop does not stop. If the file contains at least one more byte, the next loop iteration appends a new chunk to an object that is already invalid. With assertions enabled this aborts in jvp_string_ptr(). With assertions disabled, the invalid object is interpreted as a string object and ASan reports heap-buffer-overflow. This vulnerability is fixed in 1.8.2.


Note You need to log in before you can comment on or make changes to this bug.