Your message dated Sat, 16 May 2026 18:07:57 +0000
with message-id <[email protected]>
and subject line Bug#1136445: fixed in jq 1.8.1-6
has caused the Debian Bug report #1136445,
regarding jq: CVE-2026-40612 CVE-2026-41256 CVE-2026-41257 CVE-2026-43894
CVE-2026-43895 CVE-2026-43896 CVE-2026-44777
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jq
Version: 1.8.1-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for jq.
CVE-2026-40612[0]:
| jq is a command-line JSON processor. In 1.8.1 and earlier,
| jv_contains recurses into nested arrays/objects with no depth limit.
| With a sufficiently nested input structure (built programmatically
| with reduce, since the JSON parser caps at depth 10000), the C stack
| is exhausted.
CVE-2026-41256[1]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level
| jq programs loaded from a file with -f are truncated at the first
| embedded NUL byte on current upstream HEAD. A crafted filter file
| such as . followed by \x00 and arbitrary suffix compiles and
| executes as only the prefix before the NUL. This leaves jq with a
| post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation
| path even though the JSON parser path has already been fixed.
CVE-2026-41257[2]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, the jq
| bytecode VM's data stack tracks its allocation size in a signed int.
| When the stack grows beyond ≈1 GiB (via deeply nested generator
| forks), the doubling arithmetic overflows. The wrapped value is
| passed to realloc and then used for a memmove with attacker-
| influenced offsets.
CVE-2026-43894[3]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, when
| decNumberFromString is given a number literal of INT_MAX-1
| (2147483646) digits, the D2U() macro overflows during signed-int
| arithmetic. The wrapped negative value bypasses the heap-allocation
| size check, causes the function to use a 30-byte stack buffer, and
| then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43
| GiB below the stack frame. The written content is fully attacker-
| controlled (the parsed decimal digits, packed 3-per-unit).
CVE-2026-43895[4]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, jq
| accepts embedded NUL bytes in import paths at the jq-language level,
| but later resolves those paths through C string operations during
| module and data-file lookup. This creates a mismatch between the
| logical import string that policy or audit code may validate and the
| on-disk path that jq actually opens.
CVE-2026-43896[5]:
| jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded
| recursion in jv_object_merge_recursive() allows a crafted jq program
| to crash the process with a segfault. The function is reachable
| through the * operator when both operands are objects.
CVE-2026-44777[6]:
| jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the
| ordinary module loader recurses without cycle detection when two
| otherwise valid modules include each other.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40612
https://www.cve.org/CVERecord?id=CVE-2026-40612
[1] https://security-tracker.debian.org/tracker/CVE-2026-41256
https://www.cve.org/CVERecord?id=CVE-2026-41256
[2] https://security-tracker.debian.org/tracker/CVE-2026-41257
https://www.cve.org/CVERecord?id=CVE-2026-41257
[3] https://security-tracker.debian.org/tracker/CVE-2026-43894
https://www.cve.org/CVERecord?id=CVE-2026-43894
[4] https://security-tracker.debian.org/tracker/CVE-2026-43895
https://www.cve.org/CVERecord?id=CVE-2026-43895
[5] https://security-tracker.debian.org/tracker/CVE-2026-43896
https://www.cve.org/CVERecord?id=CVE-2026-43896
[6] https://security-tracker.debian.org/tracker/CVE-2026-44777
https://www.cve.org/CVERecord?id=CVE-2026-44777
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jq
Source-Version: 1.8.1-6
Done: ChangZhuo Chen (陳昌倬) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jq, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
ChangZhuo Chen (陳昌倬) <[email protected]> (supplier of updated jq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 May 2026 01:00:50 +0800
Source: jq
Architecture: source
Version: 1.8.1-6
Distribution: unstable
Urgency: high
Maintainer: ChangZhuo Chen (陳昌倬) <[email protected]>
Changed-By: ChangZhuo Chen (陳昌倬) <[email protected]>
Closes: 1136445
Changes:
jq (1.8.1-6) unstable; urgency=high
.
* Cherry-pick upstream fix for the following CVE (Closes: #1136445):
* CVE-2026-40612
* CVE-2026-41256
* CVE-2026-41257
* CVE-2026-43894
* CVE-2026-43895
* CVE-2026-43896
* CVE-2026-44777
Checksums-Sha1:
5ab74eca453fb02e696137d1f8a5399a6e8bad60 2038 jq_1.8.1-6.dsc
b25c97abbc9e9481b2db298e939b5124fc8c2903 26768 jq_1.8.1-6.debian.tar.xz
f6ca9ec2398808aee874e7ca5715ca7c09672fa4 7636 jq_1.8.1-6_amd64.buildinfo
Checksums-Sha256:
d5d6e56b99520af786767c4dd284cb7b5489237df797649d5778492318833dbc 2038
jq_1.8.1-6.dsc
99a2463f04f692080831e18ab1a4a2fcd606783757445efd602417f11fe0b667 26768
jq_1.8.1-6.debian.tar.xz
0d067f22fe356f5df3f623e8781477da6418f4b65da2c63def625de2f8d6d202 7636
jq_1.8.1-6_amd64.buildinfo
Files:
21d69aaed03f0452541376dd6197e7fc 2038 utils optional jq_1.8.1-6.dsc
f7849e936a21b1368b8f0fc0ae81148a 26768 utils optional jq_1.8.1-6.debian.tar.xz
46fcc9fb935e32cc1b6b7fe5be66c478 7636 utils optional jq_1.8.1-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEugQ0bcLh/mPHkIeTzGWwzewnXVsFAmoIrpkACgkQzGWwzewn
XVspPw//cz/PesnNDzohZzsjehyMQ4nQg0jQcEi0lj3cyLHBoYuh+Odl1epnQryY
MiORPiCQXQvwPWP9lPY9X4l4YBXbTIGROWQENhHoRp+vHnWUqwB4qPo0cA5jcD4C
5tFe2YliLjvgQdvq3O78dXnnfjFx85yHo6pdvfUemznQ6d6HXYKTqs0oCZBmYYZy
2KY6UQa6Tl/x4fKQhuk00Atg/Xr8dcipTG9ZchhWHAO+u67XoJdZN9O6JQF9EzuY
SfGHLHwExXowdUTMob6CwXOwOje5Tabjh1GdW6hZJwFLUPsWBSLHmLorfEWSK4tZ
xh7KP0BjztCucpStvqxBEYvKgHhQq1NNNWIltgIKD0NPDZRQRfBpTdx/MePcIrAo
eXIHmBUCzhoty+osnNjfZYbMjvEN4PpgkRYymxO5bqgrogcW1fp7UyauhBPL59mV
h2x1HOrRZdnnr4Y49v/HVgARjJXl/pBnoYdAerzK2BibnyMHumf1Cc91hKQ+FOW1
RFW00fxkvlxno88pDzi0wpzZ+a9GvZuV58TnHnsphTLI2bmEETw/PHkLTkyx09PX
hnnxKbX6Ldn4+2diHiZxqskd4MpzZ5Clku2YMlz2WlcjoLLCeONHMPMWJBH/XP12
p3Jl5JgVdbutHRkrzB1qwXS6hUcEfEdLsc0yHp5/OuCWiXodIo4=
=GBX0
-----END PGP SIGNATURE-----
pgpGkP7dfrZ5S.pgp
Description: PGP signature
--- End Message ---
