This is a patch release with security fixes and bug fixes since 1.8.1, along with new builds for Windows arm64 and Docker arm/v7.
Security fixes
- CVE-2026-32316: Fix heap buffer overflow in jvp_string_append and jvp_string_copy_replace_bad. @itchyny e47e56d
- CVE-2026-33947: Limit path depth to prevent stack overflow in jv_setpath, jv_getpath, jv_delpaths. @itchyny fb59f14
- CVE-2026-33948: Fix NUL truncation in the JSON parser. @itchyny 6374ae0
- CVE-2026-39956: Fix _strindices missing runtime type checks. @tlsbollei fdf8ef0
- CVE-2026-39979: Fix out-of-bounds read in jv_parse_sized(). @wader 2f09060
- CVE-2026-40164: Randomize hash seed to mitigate hash collision DoS attacks. @AsafMeizner @itchyny 0c7d133
- CVE-2026-40612: Limit containment check depth to prevent stack overflow in contains. @itchyny d1a1256
- CVE-2026-41256: Fix NUL truncation in program files loaded with -f. @itchyny 5a015de
- CVE-2026-41257: Fix signed-int overflow in stack_reallocate. @itchyny 01b3cde
- CVE-2026-43894: Reject numeric literals longer than DEC_MAX_DIGITS (999999999). @itchyny 9761ceb
- CVE-2026-43895: Reject embedded NUL bytes in module import paths. @itchyny 9d223f1
- CVE-2026-43896: Limit recursive object merge depth to prevent stack overflow. @itchyny 532ccea
- CVE-2026-44777: Detect circular module imports to prevent stack overflow. @itchyny f58787c
- CVE-2026-47770: Guard deep structural equality and comparison recursion. @fuyu0425 7122866
- CVE-2026-49839: Fix heap-buffer-overflow in raw file loading. @itchyny e987df0
- CVE-2026-54679: Tighten string length bounds and propagate invalid jv in implode. @itchyny 46d1da3
- GHSA-gf4g-95wj-4q4r: Fix use-after-free in args2obj() array argument path. @sseal #3498
- GHSA-hj52-j2c9-r8r4: Fix signed-int overflow in tokenadd to prevent buffer overflow. @itchyny 63751f8
- Limit the number of function parameters and definitions to prevent SEGV. @OwenSanzas #3460
- Pre-allocate tokenbuf for string parser to avoid undefined behavior. @fab1ano #3485
- Avoid stack overflow when freeing deeply nested values. @itchyny 33d7bce
- Fix memory leaks and double frees. @itchyny #3487
Releasing
- Add builds for Windows arm64. @dennisameling #3376
- Support arm/v7 architecture in Docker images. @itchyny #3463
- Update GPG signing key. @itchyny 0ff997f
- Add artifact-metadata permission for actions/attest. @itchyny #3530
- Upload attestation bundle as a release artifact, allowing unauthenticated
verification via gh attestation verify --bundle jq-attestation.json.
@itchyny #3563
CLI changes
- Improve error message truncation with closing delimiters. @itchyny #3478
- Remove extra space from die function output. @krtk6160 #3391
- Fix raw input flag not to corrupt multi-byte characters. @itchyny #3421
- Fix crash when importing a module with errors twice. @itchyny #3497
- Increase the maximum printing depth from 256 to 10000. @ishnagy #3414
Changes to existing functions
- Fix rtrimstr("") always outputting "". @A4-Tacks #3415
- Fix infinite loop and undefined behavior in del(.[nan]). @itchyny #3490
- Refactor @uri and @urid to fix multi-byte UTF-8 corruption. @itchyny #3495
- Fix tonumber and toboolean to reject strings with embedded null bytes. @itchyny #3496
- Fix undefined behavior in modulo operator. @fab1ano #3486
- Fix reversed pointer subtraction in f_env bounds check. @itchyny #3465
- Fix missing validity check in f_strflocaltime after f_localtime. @itchyny #3491
- Fix year 2038 problem on 32-bit platforms. @itchyny #3407
- Use // instead of //= in from_entries definition. @itchyny #3516
Build and test changes
- Drop strptime test using non-portable %F. @alyssais #3365
- Limit oniguruma depth to 1024 in jq_fuzz_execute. @sudhackar #3377
- Fix localization test for time formatting functions. @itchyny #3409
- Fix expected value assertion. @itchyny #3431 #3408
- Fix typo in tests/jq.test. @bigmoonbit #3441
- Refactor tm2jv to handle fractional seconds. @itchyny #3489
- Fix jq_fuzz_parse_stream: use iterative parser API for streaming mode. @OwenSanzas #3499
- Fix crashes and resource leaks in jq_testsuite. @itchyny #3509
- Support building with --disable-maintainer-mode and source != build dir. @Saur2000 #3518
- Add Solaris support. @vlmarek #3515
- Respect SOURCE_DATE_EPOCH while generating man page. @McSinyx #3514
- Fix undefined pointer arithmetic in UTF-8 helpers. @theyoucheng df924ea
- Fix one-byte over-read in BASE64_DECODE_TABLE. @itchyny #3547
Documentation changes
- Add wiki link to navigation bar. @wader #3424
- Add missing word in manual for rawfile. @jpmens #3434
- Fix typo "stder" to "stderr". @jjatria #3446
- Fix buttons in tutorial to toggle labels when clicked on. @itchyny #3493
- Fix "happened" spelling in tutorial changelog entries. @Rohan5commit #3525