CVE-2026-49839EXPLOITEDPATCHED

jqlang · jq

jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow

Description

A remote, anonymous attacker can exploit a vulnerability in jq to perform a Denial of Service attack.

Affected Products

Vendor	Product	Versions
jqlang	jq	< 1.8.2

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	jq	cert_advisory	90%

References

https://github.com/jqlang/jq/security/advisories/GHSA-cfh2-vwfq-qfmm(x_refsource_CONFIRM)

Related News (2 articles)

Tier B

BSI Advisories1d ago

[NEU] [mittel] jq: Schwachstelle ermöglicht Denial of Service

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-49839 | jqlang jq up to 1.8.1 jv_string_append_buf out-of-bounds write

→ No new info (linked only)

CVSS 3.17.1 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.8.2

CWECWE-787

PublishedJun 25, 2026

Last enriched1d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-39979EXP

jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

Trending: 61

NONECVE-2026-47770

jq: stack overflow in deep structural equality

Trending: 13

NONECVE-2026-54679

jq: potential integer overflow in jvp_string_append

Trending: 13

HIGHCVE-2026-44777

jq: stack overflow in module loading on mutual `include`

Trending: 3

MEDIUMCVE-2026-43894

jq: Wild stack write via signed-integer overflow in decNumber D2U() macro

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: severity, patchAvailable

Jun 25, 2026

Actively Exploited

Jun 25, 2026

Exploit Available

Jun 25, 2026

Patch Available

Jun 25, 2026

Updated: description, exploitAvailable, activelyExploited, tags

Jun 26, 2026

Version History

Last enriched 1d ago

v3Tier B1d ago

Updated description to include Denial of Service attack and marked exploit as available and actively exploited.

descriptionexploitAvailableactivelyExploitedtags

via BSI Advisories

v2Tier C2d ago

Updated severity to CRITICAL, noted that no exploit exists, and specified the fixed version as 1.8.2.

severitypatchAvailable

via VulDB

v12d ago

Initial creation