libjq exposes jv_parse_sized(const char *string, int length) as a counted-buffer JSON parsing API, but its parse-error path later treats the same buffer as a NUL-terminated C string. If a caller passes malformed JSON in a non-NUL-terminated buffer, the error construction logic can read past the caller-supplied length, causing an out-of-bounds read. The vulnerable path is: jv_parse_sized() -> jv_parse_sized_custom_flags() -> jv_parser_set_buf(&parser, string, length, 0) -> parse failure -> jv_string_fmt("%s (while parsing '%s')", ..., string) Relevant code: src/jv.h (line 245) src/jv_parse.c (line 865) src/jv_parse.c (line 896) src/jv.c (line 1528). The parser correctly accepts a (pointer, length) pair, but when building the error message it formats string with %s, which causes vsnprintf() to continue reading memory until a \0 is found. This makes the error path ignore the explicit buffer length and turns a
| Vendor | Product | Versions |
|---|---|---|
| jq | libjq | < 2f09060afab23fe9390cce7cb860b10416e1bf5f |
Updated description with more technical detail, changed severity to HIGH, updated CVSS estimate to 8.2, added new CWE IDs, and provided the patch version.
Updated severity to CRITICAL and marked the vulnerability as actively exploited.
Initial creation
