CVE-2024-53427
Publication date 26 February 2025
Last updated 21 July 2025
Ubuntu priority
Description
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).
Read the notes from the security team
Why is this CVE low priority?
Only a DoS in a command line tool
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| jq | 25.10 questing |
Not affected
|
| 25.04 plucky |
Fixed 1.7.1-3ubuntu1.1
|
|
| 24.04 LTS noble |
Fixed 1.7.1-3ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Notes
mdeslaur
A stack overflow in a command line tool is a DoS only Reproducer required AddressSanitizer, could not reproduce DoS in stable Ubuntu releases. introduced in 1.7rc1
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.1 · High
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7657-1
- jq vulnerabilities
- 21 July 2025