Lucene search
K

Amazon Linux 2 : jq, --advisory ALAS2-2026-3496 (ALAS-2026-3496)

🗓️ 08 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

jq on Amazon Linux 2 vulnerable to ALAS2-2026-3496; upgrade to fixed version to prevent heap overflow and stack crash.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-39979
13 Apr 202622:18
attackerkb
ATTACKERKB
CVE-2026-41256
11 May 202617:18
attackerkb
ATTACKERKB
CVE-2026-47770
25 Jun 202617:22
attackerkb
ATTACKERKB
CVE-2026-43896
11 May 202617:24
attackerkb
ATTACKERKB
CVE-2026-39956
13 Apr 202622:10
attackerkb
ATTACKERKB
CVE-2026-33947
13 Apr 202621:50
attackerkb
ATTACKERKB
CVE-2026-33948
13 Apr 202623:51
attackerkb
ATTACKERKB
CVE-2026-32316
13 Apr 202617:49
attackerkb
ATTACKERKB
CVE-2026-40164
13 Apr 202623:40
attackerkb
Tenable Nessus
Amazon Linux 2023 : jq, jq-devel (ALAS2023-2026-1815)
8 Jun 202600:00
nessus
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2026-3496.
##

include('compat.inc');

if (description)
{
  script_id(325564);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/08");

  script_cve_id(
    "CVE-2026-32316",
    "CVE-2026-33947",
    "CVE-2026-33948",
    "CVE-2026-39956",
    "CVE-2026-39979",
    "CVE-2026-40164",
    "CVE-2026-43896",
    "CVE-2026-47770"
  );
  script_xref(name:"IAVB", value:"2025-B-0188");

  script_name(english:"Amazon Linux 2 : jq, --advisory ALAS2-2026-3496 (ALAS-2026-3496)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of jq installed on the remote host is prior to 1.6-17. It is, therefore, affected by multiple
vulnerabilities as referenced in the ALAS2-2026-3496 advisory.

    jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within
    the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a
    combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation
    size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations
    then write the full string data into this undersized buffer, causing a heap buffer overflow classified as
    CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating
    untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further
    exploitation through heap corruption by crafting queries that produce extremely large strings. The root
    cause is the absence of string size bounds checking, unlike arrays and objects which already have size
    limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5. (CVE-2026-32316)

    jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(),
    and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length
    of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document
    containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq
    filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass
    works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime
    path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is
    denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON
    input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit
    fb59f1491058d58bdc3e8dd28f1773d1ac690a1f. (CVE-2026-33947)

    jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a
    vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON
    from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from
    fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This
    enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious
    trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix.
    Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are
    susceptible to parser differential attacks, as those consumers may process the full input including the
    malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
    (CVE-2026-33948)

    jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the
    _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without
    verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are
    stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with
    input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen
    pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment
    that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in
    commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03. (CVE-2026-39956)

    jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the
    jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-
    handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is
    found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in
    a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of
    the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted
    input, and depending on memory layout, can result in memory disclosure or process termination. The issue
    has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f. (CVE-2026-39979)

    jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used
    MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table
    operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON
    object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n),
    turning any jq expression into an O(n2) operation and causing significant CPU exhaustion. This affected
    common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more
    practical to exploit than existing heap overflow issues since it required only a small payload. This issue
    has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. (CVE-2026-40164)

    jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in
    jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function
    is reachable through the * operator when both operands are objects. (CVE-2026-43896)

    The vulnerability is an unbounded recursion in jv_equal() and jv_cmp() that causes a stack overflow when
    processing deeply nested JSON structures during equality checks (==, !=) or comparisons (sort, unique,
    bsearch, min_by, max_by). (CVE-2026-47770)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com//AL2/ALAS2-2026-3496.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-32316.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-33947.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-33948.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-39956.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-39979.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-40164.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-43896.html");
  script_set_attribute(attribute:"see_also", value:"https://explore.alas.aws.amazon.com/CVE-2026-47770.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update jq' or
  or 'yum update --advisory ALAS2-2026-3496' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-39979");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jq");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jq-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:jq-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm2.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'jq-1.6-17.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-1.6-17.amzn2.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-1.6-17.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-debuginfo-1.6-17.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-debuginfo-1.6-17.amzn2.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-debuginfo-1.6-17.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-devel-1.6-17.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-devel-1.6-17.amzn2.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'jq-devel-1.6-17.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jq / jq-debuginfo / jq-devel");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Jul 2026 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.17.5 - 8.2
CVSS 46.9
EPSS0.00559
SSVC
2