CVE-2026-54679PATCHED

jqlang · jq

jq: potential integer overflow in jvp_string_append

Description

jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2.

Affected Products

Vendor	Product	Versions
jqlang	jq	< 1.8.2

References

https://github.com/jqlang/jq/security/advisories/GHSA-29gj-222p-j7vx(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB2d ago

CVE-2026-54679 | jqlang jq up to 1.8.1 integer overflow

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited❌ No

Patch available

1.8.2

CWECWE-190

PublishedJun 25, 2026

Last enriched2d agov2

Trending Score13

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-39979EXP

jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

Trending: 60

HIGHCVE-2026-49839EXP

jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow

Trending: 56

NONECVE-2026-47770

jq: stack overflow in deep structural equality

Trending: 13

HIGHCVE-2026-44777

jq: stack overflow in module loading on mutual `include`

Trending: 3

MEDIUMCVE-2026-43894

jq: Wild stack write via signed-integer overflow in decNumber D2U() macro

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: severity, cvssEstimate, patchAvailable

Jun 25, 2026

Patch Available

Jun 25, 2026

Version History

Last enriched 2d ago

v2Tier C2d ago

Updated severity to HIGH, added CVSS estimate of 7.5, and specified patch available in version 1.8.2.

severitycvssEstimatepatchAvailable

via VulDB

v12d ago

Initial creation