An update for jq is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2426 Final 1.0 1.0 2026-05-22 Initial 2026-05-22 2026-05-22 openEuler SA Tool V1.0 2026-05-22 jq security update An update for jq is now available for openEuler-24.03-LTS jq is a lightweight and flexible command-line JSON processor. you can use it to slice and filter and map and transform structured data. It is written in portable C, and it has zero runtime dependencies. it can mangle the data format that you have into the one that you want. Security Fix(es): jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.(CVE-2026-40612) jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.(CVE-2026-41256) jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.(CVE-2026-41257) jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).(CVE-2026-43894) jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.(CVE-2026-43895) jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.(CVE-2026-43896) jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.(CVE-2026-44777) An update for jq is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium jq https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40612 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41256 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41257 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43894 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43895 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-43896 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-44777 https://nvd.nist.gov/vuln/detail/CVE-2026-40612 https://nvd.nist.gov/vuln/detail/CVE-2026-41256 https://nvd.nist.gov/vuln/detail/CVE-2026-41257 https://nvd.nist.gov/vuln/detail/CVE-2026-43894 https://nvd.nist.gov/vuln/detail/CVE-2026-43895 https://nvd.nist.gov/vuln/detail/CVE-2026-43896 https://nvd.nist.gov/vuln/detail/CVE-2026-44777 openEuler-24.03-LTS jq-1.8.0-4.oe2403.aarch64.rpm jq-debuginfo-1.8.0-4.oe2403.aarch64.rpm jq-debugsource-1.8.0-4.oe2403.aarch64.rpm jq-devel-1.8.0-4.oe2403.aarch64.rpm jq-1.8.0-4.oe2403.src.rpm jq-1.8.0-4.oe2403.x86_64.rpm jq-debuginfo-1.8.0-4.oe2403.x86_64.rpm jq-debugsource-1.8.0-4.oe2403.x86_64.rpm jq-devel-1.8.0-4.oe2403.x86_64.rpm jq-help-1.8.0-4.oe2403.noarch.rpm jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted. 2026-05-22 CVE-2026-40612 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. 2026-05-22 CVE-2026-41256 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets. 2026-05-22 CVE-2026-41257 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit). 2026-05-22 CVE-2026-43894 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens. 2026-05-22 CVE-2026-43895 openEuler-24.03-LTS Medium 4.4 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects. 2026-05-22 CVE-2026-43896 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426 jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other. 2026-05-22 CVE-2026-44777 openEuler-24.03-LTS Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H jq security update 2026-05-22 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2426