{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/stack-write/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":6.2,"id":"CVE-2026-43894"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["jq"],"_cs_severities":["high"],"_cs_tags":["cve","jq","overflow","stack write"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-43894 is a critical vulnerability affecting jq, a lightweight and flexible command-line JSON processor. The vulnerability stems from a signed-integer overflow within the \u003ccode\u003edecNumber D2U()\u003c/code\u003e macro, leading to a wild stack write. This flaw can be exploited to potentially overwrite sensitive data on the stack, possibly leading to arbitrary code execution. Attackers could leverage this overflow by crafting malicious JSON input designed to trigger the overflow when processed by jq. Successful exploitation of this vulnerability could lead to unauthorized access, data breaches, or system compromise. Defenders should prioritize patching or mitigating this vulnerability to prevent potential attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON input specifically designed to trigger a signed-integer overflow in the \u003ccode\u003edecNumber D2U()\u003c/code\u003e macro within the jq application.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the malicious JSON input to the jq application as an argument or via standard input.\u003c/li\u003e\n\u003cli\u003ejq processes the JSON input, and the \u003ccode\u003edecNumber D2U()\u003c/code\u003e macro is invoked during the parsing or processing of the JSON data.\u003c/li\u003e\n\u003cli\u003eThe signed-integer overflow occurs within the \u003ccode\u003edecNumber D2U()\u003c/code\u003e macro, leading to an incorrect calculation of memory allocation size.\u003c/li\u003e\n\u003cli\u003eThe incorrect size leads to a write operation that goes beyond the intended boundaries of the stack buffer, causing a wild stack write.\u003c/li\u003e\n\u003cli\u003eThe wild stack write overwrites sensitive data on the stack, such as return addresses or function pointers.\u003c/li\u003e\n\u003cli\u003eIf the attacker has successfully overwritten a return address or function pointer, the execution flow can be redirected to an attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the jq application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-43894 can lead to arbitrary code execution. The vulnerability impacts any system running a vulnerable version of jq. This can result in a complete compromise of the affected system, allowing attackers to steal sensitive information, install malware, or perform other malicious activities. The affected sectors would be those utilizing the jq utility for JSON processing. The number of potential victims depends on the prevalence of the vulnerable jq version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade jq to the latest patched version that addresses CVE-2026-43894 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to your SIEM to detect potential exploitation attempts of CVE-2026-43894.\u003c/li\u003e\n\u003cli\u003eMonitor systems utilizing jq for unusual behavior, such as unexpected crashes or unauthorized access attempts, using process_creation and file_event logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T07:32:11Z","date_published":"2026-05-13T07:32:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-43894-jq-overflow/","summary":"CVE-2026-43894 is a vulnerability related to jq involving a wild stack write via signed-integer overflow in the decNumber D2U() macro.","title":"CVE-2026-43894 jq: Wild stack write via signed-integer overflow in decNumber D2U() macro","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-43894-jq-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Stack Write","version":"https://jsonfeed.org/version/1.1"}