2 matches found
CVE-2026-49839
jq is a command-line JSON processor. Prior to 1.8.2, jq --rawfile can turn a handled oversized-string error into invalid-state reuse and a real heap out-of-bounds write in assertion-disabled builds. When jvloadfileraw=1 reads an attacker-controlled file, it repeatedly appends file chunks to the...
CVE-2026-49839
Summary: CVE-2026-49839 affects jq prior to 1.8.2, where in the --rawfile path an oversized string can trigger invalid-state reuse and heap-buffer-overflow writes. In detail, when jv_load_file(raw=1) reads attacker-controlled data, file chunks are appended to a single jv string accumulator; after...