Denial of Service via integer overflow and buffer overrun on 32-bit systems
Summary
jq is a command-line JSON processor. Prior to 1.8.2, on 32bit system, jvp_string_append has a chance of integer/multiple overflowing and then causing a massive buffer overrun. This vulnerability is fixed in 1.8.2. A flaw was found in jq, a command-line JSON processor. On 32-bit systems, a local attacker could exploit an integer overflow vulnerability in the `jvp_string_append` function. This could lead to a massive buffer overrun, resulting in a denial of service (DoS) condition. Red Hat severity: Moderate — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-190. Fixed by RHSA-2026:29986 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- jq-main-1.8.2-0.1.hum1
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- jq-main-1.8.2-0.1.hum1
- RHSA-2026:29986
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.