suse · CVE-2025-48060

Quick triage

Priority: medium Published: 2025-06-05 23:13:00 UTC Updated: 2026-03-05 00:32:55 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2025-48060 severity moderate: SUSE including 263 source package names (1.0.4-3.54:jq-1.6-150000.3.9.1, 1.0.4-3.54:libjq1-1.6-150000.3.9.1, …), 485 product×package rows across 124 product lines (Container containers/suse-ai-observability-extension-setup, Container suse/sl-micro/6.0/baremetal-os-container, … (124 product lines)): Fixed 251, Known Affected 226, Known Not Affected 8.

Description:

jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available.

cvelogic Threat Intelligence