A flaw was found in jq, a command line JSON processor. The memory allocation size is calculated using a signed integer that can overflow when processing deeply nested generator forks. This integer overflow allows an attacker who can supply a sufficiently nested input to influence the memory allocation size, causing an out-of-bounds write and an application crash, resulting in a denial of service.

To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq that triggers deeply nested generator forks. This allows the attacker to overflow the integer used to calculate memory size and cause an out-of-bounds write, effectively resulting in an application crash with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity. Do not process untrusted input with the jq command line JSON processor. Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Ceph Storage 4 Fix deferred jq Red Hat Enterprise Linux 10 Fix deferred jq Red Hat Enterprise Linux 8 Fix deferred jq Red Hat Enterprise Linux 9 Fix deferred jq Red Hat Hardened Images Affected jq Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-41257 https://nvd.nist.gov/vuln/detail/CVE-2026-41257 https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539