VDB
GCVE-110-MAGEIA-2026-188
GCVE-110-MAGEIA-2026-188
Advisory Published
An integer overflow arises when assigning value using an index of
2147483647, the signed integer limit. This causes a denial of service.
(CVE-2024-23337)
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a
denial of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated
strings. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2026-33948)
It was discovered that jq did not correctly handle checking certain
variable types. An attacker could possibly use this issue to cause a
denial of service or leak sensitive information. (CVE-2026-39956)
It was discovered that jq did not correctly handle certain string
formatting. An attacker could possibly use this issue to leak sensitive
information or cause a denial of service. (CVE-2026-39979)
It was discovered that jq used a fixed seed for hash table operations.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2026-40164)
A heap-buffer-overflow is present in function `jv_string_vfmt` in the
jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c,
line 1456 `void* p = malloc(sz); (CVE-2025-48060)
Top-level jq programs loaded from a file with -f are truncated at the
first embedded NUL byte on current upstream HEAD. A crafted filter file
such as . followed by \x00 and arbitrary suffix compiles and executes as
only the prefix before the NUL. This leaves jq with a
post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path
even though the JSON parser path has already been fixed.
(CVE-2026-41256)
The ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other (CVE-2026-44777)
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | jq | 0 (affected), 1.6-3.1.mga9 (unaffected) | — |
References
Browse GCVE Records
73,040 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.