CVE-2026-43894: jq: Wild stack write via signed-integer overflow in decNumber D2U() macro

Q: What is the severity of CVE-2026-43894?

CVE-2026-43894 is classified as a high severity vulnerability due to its potential for causing a wild stack write.

Q: How do I fix CVE-2026-43894?

To fix CVE-2026-43894, upgrade jq to version 1.8.2 or later.

Q: What software versions are affected by CVE-2026-43894?

CVE-2026-43894 affects jq versions up to and including 1.8.1.

Q: What types of applications may be impacted by CVE-2026-43894?

Applications using vulnerable versions of jq for JSON processing may be impacted by CVE-2026-43894.

Q: Is CVE-2026-43894 a local or remote threat?

CVE-2026-43894 represents a local threat, as it requires the execution of maliciously crafted JSON input.

Published May 11, 2026

Updated

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).

Affected Software

2 affected components

Stedolan jq<=1.8.1

jqlang jq<=1.8.1

Event History

May 11, 2026

CVE Published

via MITRE·05:20 PM

Data Sourced

via MITRE·05:20 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·06:16 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-43894?

CVE-2026-43894 is classified as a high severity vulnerability due to its potential for causing a wild stack write.

How do I fix CVE-2026-43894?

To fix CVE-2026-43894, upgrade jq to version 1.8.2 or later.

What software versions are affected by CVE-2026-43894?

CVE-2026-43894 affects jq versions up to and including 1.8.1.

What types of applications may be impacted by CVE-2026-43894?

Applications using vulnerable versions of jq for JSON processing may be impacted by CVE-2026-43894.

Is CVE-2026-43894 a local or remote threat?

CVE-2026-43894 represents a local threat, as it requires the execution of maliciously crafted JSON input.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.