From patchwork Wed Jun 10 07:52:49 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <spushpka@cisco.com>
X-Patchwork-Id: 89620
Return-Path: <spushpka@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 99686CD8CB2
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 07:53:06 +0000 (UTC)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.15155.1781077983946404955
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 10 Jun 2026 00:53:04 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=hlK/o1bB;
 spf=pass (domain: cisco.com, ip: 173.37.86.74, mailfrom: spushpka@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=6162; q=dns/txt;
  s=iport01; t=1781077984; x=1782287584;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=j3EV18/DiQaQ1N9NilvCePKZcJk67EJ2kTsrcogPJCM=;
  b=hlK/o1bBq1IvgOD7HFbPeL/8ABlrhj6F/gHTMvgzGHE8/WG3PKSu2+V1
   EiWMTXahx9a44A+FTuveVQRuAIdyiF3CNkzZa/uZbrkZecKSGffqk+4Ax
   gK0o1VKiK9xTFgy7bOXWk07wy4Zq8Am3v8veyV7QB1rJ8kSlpOLoNLY7s
   r1m32pQWFeh7plP4tuhdC1swYTdt4Y8X5X6tANoRWygmiLWigZZyxIgvN
   bfM0NdIUa/XdJmNWI980cAfu8W01c2BZ5lutTvLJDShKuHjUGncIJdpQA
   /a0gzw55+Uxb1GZXp8OkB0hGaljssyxHWCtFZ4KwNNsAkHyt+q9yuhYEx
   A==;
X-CSE-ConnectionGUID: vxMNokKSTaO3wx0JOCd+RQ==
X-CSE-MsgGUID: yHp0qMfFRDmGoxLc2KqR3g==
X-IPAS-Result: 
 A0BFAgDbFilq/4v/Ja1aHgEBCxIMggULgld0X0JJA5ZIgRadCIF+DwEBAQ9EDQQBAYUGjTwCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECATUBGAEtLAMBAlojIYMCAYJzAgERBrF+GjeCLIEBgygBPwJDUNsrAQsUAQWBM4U/iB5bGAGEegInGxuBcoEVgnJ2gQV3ZQICGIEehm0EgiJ6EoFdHoViiRJIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBSoE3aIEChRAjHwM5gRWBeoEoZ2kVMDVsAwsYDUgRLDcUGwQ+bgeMOhcPgjgBehMBCiGCLJM4B5I3oQ8KKIN0jCGVOhozqmsLmHyOCokPjUCEaIFoPIFZcBWDIglKGQ+OLQsLg2CFE8M2JDUCAQEHAy8BAQcCBw4DC4FokAGBfAEB
IronPort-Data: A9a23:mWI8oaIE934a4D2rFE+RgZQlxSXFcZb7ZxGr2PjKsXjdYENShDdTy
 TZNXjjXbv+DZWT9eNwiPIuy8kxQucWAzNE2GgQd+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t
 63yUvGZcoZsCCSa/kvxWlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2uaEuvDnRVnR0
 T/Oi5eHYgH9hWcsajt8B5+r8XuDgtyj4Fv0gXRmDRx7lAe2v2UYCpsZOZawIxPQKqFIHvS3T
 vr017qw+GXU5X8FUrtJRZ6iLyXm6paLVeS/oiI+t5qK23CulQRuukoPD8fwXG8M49m/c3+d/
 /0W3XC4YV9B0qQhA43xWTEAe811FfUuFLMqvRFTvOTLp3AqfUcAzN1wHGQQOo47wdp+JjpR5
 aQ6DxsBLSq60rfeLLKTEoGAh+w5J8XteYdasXZ6wHSBV7AtQIvIROPB4towMDUY358VW62BI
 ZBENHw2N0Wojx5nYj/7DLolhPqzhmH8ehVTqUmeouw85G27IAlZjOm3YIqKI4HWLSlTtle4v
 jrf2mrXOD0fG9uP7THf0WuW3eCayEsXX6pXTtVU7MVCh0WewGEWAhAaWVa35PW0lEO6c9ZeM
 FAPvC02oK4/8UamQtXwU1u/unHsg/IHc8BbH+t/7ESGzbDZpl7DQGMFVTVGLtchsafaWAAX6
 7NApPuxbRQHjVFfYSj1Gmu8xd9qBRUoEA==
IronPort-HdrOrdr: A9a23:1V3Vwq713x3Kuj3lzQPXwOTXdLJyesId70hD6qm+c3Nom6uj5q
 WTdZsgtCMc5Ax9ZJhCo6HjBED/exPhHPdOiOF7V4tKNzOJhILHFu1fBKLZslnd8lXFh41g/J
 YlVbRiA9vtClU/p8P77A6kV+sE+rC8gceVbSO09QYVcemsAJsQiTtENg==
X-Talos-CUID: 9a23:hDTleWwr4JhF7KHFNwigBgUKCuUDdX7+90vZBBSnGT5Lb5aZCmWprfY=
X-Talos-MUID: 
 9a23:Q4Oj2g0DKFi5WDMh4jqfiwcbwDUj8oS2UFkon7s8l8yrMjxUMG2+lQ7sTdpy
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.24,197,1774310400";
   d="scan'208";a="492887154"
Received: from rcdn-l-core-02.cisco.com ([173.37.255.139])
  by rcdn-iport-3.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 10 Jun 2026 07:53:02 +0000
Received: from sjc-ads-10443.cisco.com (sjc-ads-10443.cisco.com
 [171.70.96.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ciscoit-managed-infra-smtp-auth.cisco.com",
 Issuer "Internal Private TLS SubCA" (verified OK))
	by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id BD474180007F0;
	Wed, 10 Jun 2026 07:53:02 +0000 (GMT)
Received: by sjc-ads-10443.cisco.com (Postfix, from userid 1839047)
	id 5FF22CC1282; Wed, 10 Jun 2026 00:53:02 -0700 (PDT)
From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <spushpka@cisco.com>
To: openembedded-devel@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
	Shubham Pushpkar <spushpka@cisco.com>
Subject: [meta-OE] [scarthgap] [PATCH 1/5] jq: Fix CVE-2026-40612
Date: Wed, 10 Jun 2026 00:52:49 -0700
Message-Id: <20260610075253.1676404-1-spushpka@cisco.com>
X-Mailer: git-send-email 2.35.6
MIME-Version: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Outbound-Client-TLS: VERIFIED;sjc-ads-10443.cisco.com
 [171.70.96.196];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com
X-Outbound-SMTP-Client: 171.70.96.196, sjc-ads-10443.cisco.com
X-Outbound-Node: rcdn-l-core-02.cisco.com
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 10 Jun 2026 07:53:06 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127509

From: Shubham Pushpkar <spushpka@cisco.com>

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-40612.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 .../jq/jq/CVE-2026-40612.patch                | 153 ++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |   1 +
 2 files changed, 154 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
new file mode 100644
index 0000000000..bcd9f2dbc0
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
@@ -0,0 +1,153 @@
+From f1a72c7b5eb9c9e99576b2ca8e59ab1f36a2a4e3 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:02:24 +0900
+Subject: [PATCH] Limit the containment check depth
+
+This fixes CVE-2026-40612.
+
+CVE: CVE-2026-40612
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2]
+
+Backport Changes:
+- The upstream regression test used `reduce ... as $x` without wrapping
+  the `reduce` expression in parentheses. jq 1.7.1 parses that form as a
+  syntax error before the test can run.
+- Wrapped the `reduce range(10001) ...` expression in an extra set of
+  parentheses so jq 1.7.1 first builds the nested array, then binds that
+  result to `$x` for the `contains($x)` depth-limit check.
+
+(cherry picked from commit d1a12569d91641135976a8536776a4a329c02cc2)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/builtin.c |  5 ++++-
+ src/jv.c      | 40 +++++++++++++++++++++++++++-------------
+ tests/jq.test | 11 ++++++++++-
+ 3 files changed, 41 insertions(+), 15 deletions(-)
+
+diff --git a/src/builtin.c b/src/builtin.c
+index 902490d..378be02 100644
+--- a/src/builtin.c
++++ b/src/builtin.c
+@@ -471,7 +471,10 @@ jv binop_greatereq(jv a, jv b) {
+ 
+ static jv f_contains(jq_state *jq, jv a, jv b) {
+   if (jv_get_kind(a) == jv_get_kind(b)) {
+-    return jv_bool(jv_contains(a, b));
++    int r = jv_contains(a, b);
++    if (r < 0)
++      return jv_invalid_with_msg(jv_string("Containment check too deep"));
++    return jv_bool(r);
+   } else {
+     return type_error2(a, b, "cannot have their containment checked");
+   }
+diff --git a/src/jv.c b/src/jv.c
+index 08ded35..5a2c3a2 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -914,19 +914,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend)
+ }
+ 
+ 
+-static int jvp_array_contains(jv a, jv b) {
++static int jvp_contains(jv a, jv b, int depth);
++
++static int jvp_array_contains(jv a, jv b, int depth) {
+   int r = 1;
+   jv_array_foreach(b, bi, belem) {
+     int ri = 0;
+     jv_array_foreach(a, ai, aelem) {
+-      if (jv_contains(aelem, jv_copy(belem))) {
+-        ri = 1;
+-        break;
+-      }
++      ri = jvp_contains(aelem, jv_copy(belem), depth);
++      if (ri) break;
+     }
+     jv_free(belem);
+-    if (!ri) {
+-      r = 0;
++    if (ri <= 0) {
++      r = ri;
+       break;
+     }
+   }
+@@ -1794,7 +1794,7 @@ static int jvp_object_equal(jv o1, jv o2) {
+   return len1 == len2;
+ }
+ 
+-static int jvp_object_contains(jv a, jv b) {
++static int jvp_object_contains(jv a, jv b, int depth) {
+   assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+   assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+   int r = 1;
+@@ -1802,9 +1802,9 @@ static int jvp_object_contains(jv a, jv b) {
+   jv_object_foreach(b, key, b_val) {
+     jv a_val = jv_object_get(jv_copy(a), key);
+ 
+-    r = jv_contains(a_val, b_val);
++    r = jvp_contains(a_val, b_val, depth);
+ 
+-    if (!r) break;
++    if (r <= 0) break;
+   }
+   return r;
+ }
+@@ -2035,14 +2035,23 @@ int jv_identical(jv a, jv b) {
+   return r;
+ }
+ 
+-int jv_contains(jv a, jv b) {
++#ifndef MAX_CONTAINS_DEPTH
++#define MAX_CONTAINS_DEPTH (10000)
++#endif
++
++static int jvp_contains(jv a, jv b, int depth) {
++  if (depth > MAX_CONTAINS_DEPTH) {
++    jv_free(a);
++    jv_free(b);
++    return -1;
++  }
+   int r = 1;
+   if (jv_get_kind(a) != jv_get_kind(b)) {
+     r = 0;
+   } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) {
+-    r = jvp_object_contains(a, b);
++    r = jvp_object_contains(a, b, depth + 1);
+   } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) {
+-    r = jvp_array_contains(a, b);
++    r = jvp_array_contains(a, b, depth + 1);
+   } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) {
+     int b_len = jv_string_length_bytes(jv_copy(b));
+     if (b_len != 0) {
+@@ -2058,3 +2067,8 @@ int jv_contains(jv a, jv b) {
+   jv_free(b);
+   return r;
+ }
++
++// Returns 1 (contained), 0 (not contained), or -1 (too deep)
++int jv_contains(jv a, jv b) {
++  return jvp_contains(a, b, 0);
++}
+diff --git a/tests/jq.test b/tests/jq.test
+index 4d57301..40d14d6 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2153,4 +2153,13 @@ null
+ 
+ try delpaths([[range(10001) | 0]]) catch .
+ null
+-"Path too deep"
+\ No newline at end of file
++"Path too deep"
++
++# regression test for CVE-2026-40612
++reduce range(10000) as $_ ([]; [.]) | contains([[]])
++null
++true
++
++try ((reduce range(10001) as $_ ([]; [.])) as $x | $x | contains($x)) catch .
++null
++"Containment check too deep"
+-- 
+2.44.4
+
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 98f06af3b9..b35e5579b2 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -20,6 +20,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2026-33947.patch \
     file://CVE-2026-33948.patch \
     file://CVE-2026-39979.patch \
+    file://CVE-2026-40612.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Wed Jun 10 07:52:50 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <spushpka@cisco.com>
X-Patchwork-Id: 89621
Return-Path: <spushpka@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7A9BBCD8CB2
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 07:53:16 +0000 (UTC)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14952.1781077994749485319
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 10 Jun 2026 00:53:15 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=Rhhf+yZm;
 spf=pass (domain: cisco.com, ip: 173.37.86.72, mailfrom: spushpka@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=3457; q=dns/txt;
  s=iport01; t=1781077994; x=1782287594;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=Gb7jnqnmvGlHYGWXpb3d5fArBc9Ve+7Zy28Io4Hdxi4=;
  b=Rhhf+yZmO8yLAUJ93tzNc9k+Q3HqMKaMxIK3M1y4GU5MH98WZqNf5TYP
   piUO47GBgXB8Uy0KDQ+BzrplqK2BAZ9mYgEtA1hnI89JlEUvsnq2OXvk/
   XDcN4BQYemtZdAqXGP8+N8Fc1yPYK0KzotYmWDp2T5j0FC2rO8Ci4o9YZ
   MFxTXn6nwOYVr0nNl6x8XtmPPSU6QhFRkDlhUff1EgcUMsdaCsPJwcW4L
   p/5aIYQj0wSsC9YnLNmyrP3QdGoxUy/xBBRBeZj63pQ403ewNgdFkTe+g
   SeyFsBKwmA8jCFxdlWrgKfL0Z2N9WBAAu9y68VUk6jk1HDkI+rX5rgbm8
   g==;
X-CSE-ConnectionGUID: GroeptnASvGd9CH08zYbRA==
X-CSE-MsgGUID: Pa5qx2PJS9ePBQeFYka9Ww==
X-IPAS-Result: 
 A0AnAADbFilq/5D/Ja1aHQEBAQEJARIBBQUBgXwIAQsBglZ0X0JJA4xwiVgDnhuBfg8BAQEPRA0EAQGFBgKNOgImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAzIBGAEtEBwDAQIvKyMIGYMCAYJzAgERBrF+GjeCLIEBgygBPwJDUNsrAQsUAQWBMwGFPogeWxgBhHoCJxsbgXKBFYNogQV3ZQICGIgLBIIiehKBXR6FYokSSIEeA1ksAVUTDQoLBwWBZgM1EioVbjIdgSM+F4EMGwcFgUqBN2iBAoUQIx8DOYEVgXqBKGdpFTA1bAMLGA1IESw3FBsEPm4HjDoXD4I4exMBExiBUVuldqEPCiiDdIwhlToaM6prC5h8jgqWT4RogWg8gVlwFYMiCUoZD44qDguDYIUTwzYkNQIBAQcDLwEBBwIHDgMLgWiRfQEB
IronPort-Data: A9a23:AcSye659l6wFkSpL/qHaugxRtGjGchMFZxGqfqrLsTDasY5as4F+v
 mMZXm+POP6CY2CjfNp1a9nn8kkBvp7Tn9JrTVE4rno8Zn8b8sCt6fZ1gavT04J+CuWZESqLO
 u1HMoGowPgcFyGa/lH2dOC98RGQ7InQLpLkEunIJyttcgFtTSYlmHpLlvUw6mJSqYDR7zil5
 5Wo/6UzBHf/g2QqajxNs/rawP9SlK2aVA0w7wRWic9j5Dcyp1FNZLoDKKe4KWfPQ4U8NoaSW
 +bZwbilyXjS9hErB8nNuu6TnpoiG+O60aCm0xK6aoD66vRwjnVaPpUTaJLwXXxqZwChxLid/
 jniWauYEm/FNoWU8AgUvoIx/ytWZcWq85efSZSzXFD6I0DuKxPRL/tS4E4eEpcf9/5rB0h16
 9MUeRstNkCRtuiM6efuIgVsrpxLwMjDJogTvDRkiDreF/tjGc+FSKTR7tge1zA17ixMNa+BP
 IxCNnw1MUmGOkETUrsUIMpWcOOAnWHiaD1Aq1u9rqss6G+Vxwt0uFToGIaEIITQGJsNxi50o
 Er+9jngEksiFufOxAKvy3+Ct+zGzBzkDdd6+LqQs6QCbEeo7msLBRsbUFG2rfW0hguyVsxSL
 2QQ+zEytu417EGtQ9z3UhG0rXLCuQQTM+e8CMUg4w2Lj66R6AGDCy1cEXhKaccts4k9QjlCO
 kK1ou4FzAdH6NW9IU9xPJ/Oxd9uEUD59VM/WBI=
IronPort-HdrOrdr: A9a23:88iwnqiHRljFUBcs1cn7oZjrhXBQXgIji2hC6mlwRA09TyVXra
 +TdZMgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7dZmnbUQKTRekIh7cKgQeQfhEWndQy6U
 4PScRD4fTLfD5HZL7BkWqFOudl5sWb+6a1guqb5XJsQQZ2L5xE1W5Ce3+m+okcfng8OXL/f6
 DsnvZ6mw==
X-Talos-CUID: 
 9a23:nzg752maGFb+VBzkV/ms5/g6s9fXOVLHy3rIP0mRMnhGROy+aQfA6pJuqeM7zg==
X-Talos-MUID: 
 9a23:S8Je2QzknnIc2Xug0qJ3OH3t9EmaqJynVVkdy60kgJiJDQZJNhmsjz3mfZByfw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.24,197,1774310400";
   d="scan'208";a="492025600"
Received: from rcdn-l-core-07.cisco.com ([173.37.255.144])
  by rcdn-iport-1.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 10 Jun 2026 07:53:13 +0000
Received: from sjc-ads-10443.cisco.com (sjc-ads-10443.cisco.com
 [171.70.96.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ciscoit-managed-infra-smtp-auth.cisco.com",
 Issuer "Internal Private TLS SubCA" (verified OK))
	by rcdn-l-core-07.cisco.com (Postfix) with ESMTPS id A974918000481;
	Wed, 10 Jun 2026 07:53:13 +0000 (GMT)
Received: by sjc-ads-10443.cisco.com (Postfix, from userid 1839047)
	id 574A1CC1282; Wed, 10 Jun 2026 00:53:13 -0700 (PDT)
From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <spushpka@cisco.com>
To: openembedded-devel@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
	Shubham Pushpkar <spushpka@cisco.com>
Subject: [meta-OE] [scarthgap] [PATCH 2/5] jq: Fix CVE-2026-41256
Date: Wed, 10 Jun 2026 00:52:50 -0700
Message-Id: <20260610075253.1676404-2-spushpka@cisco.com>
X-Mailer: git-send-email 2.35.6
In-Reply-To: <20260610075253.1676404-1-spushpka@cisco.com>
References: <20260610075253.1676404-1-spushpka@cisco.com>
MIME-Version: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Outbound-Client-TLS: VERIFIED;sjc-ads-10443.cisco.com
 [171.70.96.196];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com
X-Outbound-SMTP-Client: 171.70.96.196, sjc-ads-10443.cisco.com
X-Outbound-Node: rcdn-l-core-07.cisco.com
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 10 Jun 2026 07:53:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127510

From: Shubham Pushpkar <spushpka@cisco.com>

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41256.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 .../jq/jq/CVE-2026-41256.patch                | 54 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch
new file mode 100644
index 0000000000..224bb103da
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch
@@ -0,0 +1,54 @@
+From f4efca339cadef8ce7a5d5be98d0d2a8e0a77989 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:15:08 +0900
+Subject: [PATCH] Fix NUL truncation in program files loaded with -f
+
+This fixes CVE-2026-41256.
+
+CVE: CVE-2026-41256
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738]
+
+(cherry picked from commit 5a015deae35d19e3ebbc65db6c157a80e76df738)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/main.c   | 8 ++++++++
+ tests/shtest | 7 +++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/src/main.c b/src/main.c
+index 43586c4..f462e4d 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -677,6 +677,14 @@ int main(int argc, char* argv[]) {
+       ret = JQ_ERROR_SYSTEM;
+       goto out;
+     }
++    int len = jv_string_length_bytes(jv_copy(data));
++    if ((size_t)len != strlen(jv_string_value(data))) {
++      fprintf(stderr, "jq: program file contains NUL bytes\n");
++      free(program_origin);
++      jv_free(data);
++      ret = JQ_ERROR_SYSTEM;
++      goto out;
++    }
+     jq_set_attr(jq, jv_string("PROGRAM_ORIGIN"), jq_realpath(jv_string(dirname(program_origin))));
+     ARGS = JV_OBJECT(jv_string("positional"), ARGS,
+                      jv_string("named"), jv_copy(program_arguments));
+diff --git a/tests/shtest b/tests/shtest
+index 0397ca0..505d45d 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -615,4 +615,11 @@ if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
+   exit 1
+ fi
+
++# CVE-2026-41256: No NUL truncation in program files loaded with -f
++printf '.\x00invalid' > "$d/nul_prog.jq"
++if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then
++  printf 'Error expected for program file with NUL bytes\n' 1>&2
++  exit 1
++fi
++
+ exit 0
+--
+2.44.4
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index b35e5579b2..c50ffc4cbe 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2026-33948.patch \
     file://CVE-2026-39979.patch \
     file://CVE-2026-40612.patch \
+    file://CVE-2026-41256.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Wed Jun 10 07:52:51 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <spushpka@cisco.com>
X-Patchwork-Id: 89622
Return-Path: <spushpka@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7AE72CD98C7
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 07:53:26 +0000 (UTC)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.15157.1781077999667368099
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 10 Jun 2026 00:53:19 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=RNnFDoDj;
 spf=pass (domain: cisco.com, ip: 173.37.86.80, mailfrom: spushpka@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=3653; q=dns/txt;
  s=iport01; t=1781077999; x=1782287599;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=aAsSmxGVONmFE4Dv9W1x5cvggflVP1Hoi6Jsso4mQKU=;
  b=RNnFDoDjMgP/0EBEfRckWn4zShboCodmXoF0zAw8+gQoN8dtyivPiS0N
   bAQYmGD3OZjr3i+eBG9+0mEbu10k24tAzGQjOfZB+jXLH1TsS28MZZwDo
   wgsBvResCkpDVyJ09vCD7MVDbBcZt6xwhnlMFDHnLcg8kEDO4JV2UOFEB
   qS5qgJDcJgGrciXr7/OLQge+Io/nHe8FL4IEBI2YiXTiojViQ4QDBsS/r
   HTSfERHtysuha6XQi4MdCwWphfEelosg2JOL+3ktcjG6o1vI6aVNCBzt/
   tdasPwlgSKuI4R6F9qQvrW5/QCWwq6YgSpH0ZJE8Fp1ftWpXdVM5SrkTk
   A==;
X-CSE-ConnectionGUID: mKO0ntpNRRi/CgN9dngmig==
X-CSE-MsgGUID: +hnuxRocSq2JkRejmbvuzw==
X-IPAS-Result: 
 A0BHAgBbFilq/4v/Ja1aglmCV3RfQkmWTp4bgX4PAQEBD0QNBAEBhQYCjToCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMnCwEYAS0QHAMBAi8rIwgZgwIBgnMCAREGsXgaN4F5M4EBgygBPwJDUNsrAQsUAQWBM4U/iB5bGAGEegInGxuBcoEVg2iBBXdlAgIYiAsEgiJ6EoFdHoViiRJIgR4DWSwBVRMNCgsHBYFmAzUSKhVuMh2BIz4XgQwbBwWBSoE3aIEChRAjHwM5gRWBeoEoZ2kVMDVsAwsYDUgRLDcUGwQ+bgeMOhcPgjh7EwErqCKhDwoog3SMIZU6GjOqawuYfI4Klk+EaIFoPIFZcBWDIglKGQ+OLQsLg2CFE8M3JDUCAQEHMgEBBwIHDgMLgWiRfQEB
IronPort-Data: A9a23:ZMCHa6mXmqopDOeoQJVxvhHo5gzRJ0RdPkR7XQ2eYbSJt1+Wr1Gzt
 xJOX2/SaPrfMGumeIskYIWy8hsB75aGn4U1SgVvqC8xQltH+JHPbTi7wugcHM8zwunrFh8PA
 xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k
 Y20+ZG31GONgWYubDpKsvrb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb
 /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ
 OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FYg73b5xHXloz
 8YZbxsCSEGPge2zwb3uH4GAhux7RCXqFJkUtnclyXTSCuwrBMiZBa7L/tRfmjw3g6iiH96HO
 JFfMmUpNkmdJUQUaz/7C7pm9AusrmLnbiZYsFGcjaE2+GPUigd21dABNfKJK4XWGJsKwhjwS
 mTuvGT/HwEgM9ek0GCn8UihhOrFgz7pR9dHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7V99BJ
 kg8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmQHY909v8hwTjsvv
 rOUo+7U6fVUmOX9YRqgGn289Fte5QB9wbc+WBI5
IronPort-HdrOrdr: A9a23:s03XYah6wBPyklhRQ7kSoQgT5nBQXgIji2hC6mlwRA09TyVXra
 +TdZMgpHjJYVkqOU3I9ersBEDEewK/yXcX2/h0AV7dZmnbUQKTRekIh7cKgQeQfhEWndQy6U
 4PScRD4fTLfD5HZL7BkWqFOudl5sWb+6a1guqb5XJsQQZ2L5xE1W5Ce3+m+okcfng8OXL/f6
 DsnvZ6mw==
X-Talos-CUID: 9a23:Pmbnc25C3M5mGTe8ONss8W0zQsY5alvn9naXCECeWGpvR7iURgrF
X-Talos-MUID: 9a23:/hq6sAjKxjdPEML0LhnJ3cMpd8du/rSUD0s2iM8kuPOJNyl6JSqPk2Hi
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.24,197,1774310400";
   d="scan'208";a="491456746"
Received: from rcdn-l-core-02.cisco.com ([173.37.255.139])
  by rcdn-iport-9.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 10 Jun 2026 07:53:18 +0000
Received: from sjc-ads-10443.cisco.com (sjc-ads-10443.cisco.com
 [171.70.96.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ciscoit-managed-infra-smtp-auth.cisco.com",
 Issuer "Internal Private TLS SubCA" (verified OK))
	by rcdn-l-core-02.cisco.com (Postfix) with ESMTPS id 9A4E918000211;
	Wed, 10 Jun 2026 07:53:18 +0000 (GMT)
Received: by sjc-ads-10443.cisco.com (Postfix, from userid 1839047)
	id 47222CC1282; Wed, 10 Jun 2026 00:53:18 -0700 (PDT)
From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <spushpka@cisco.com>
To: openembedded-devel@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
	Shubham Pushpkar <spushpka@cisco.com>
Subject: [meta-OE] [scarthgap] [PATCH 3/5] jq: Fix CVE-2026-41257
Date: Wed, 10 Jun 2026 00:52:51 -0700
Message-Id: <20260610075253.1676404-3-spushpka@cisco.com>
X-Mailer: git-send-email 2.35.6
In-Reply-To: <20260610075253.1676404-1-spushpka@cisco.com>
References: <20260610075253.1676404-1-spushpka@cisco.com>
MIME-Version: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Outbound-Client-TLS: VERIFIED;sjc-ads-10443.cisco.com
 [171.70.96.196];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com
X-Outbound-SMTP-Client: 171.70.96.196, sjc-ads-10443.cisco.com
X-Outbound-Node: rcdn-l-core-02.cisco.com
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 10 Jun 2026 07:53:26 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127511

From: Shubham Pushpkar <spushpka@cisco.com>

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 .../jq/jq/CVE-2026-41257.patch                | 57 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch
new file mode 100644
index 0000000000..9eb3ea2576
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch
@@ -0,0 +1,57 @@
+From a525b86330b4b8889e0329249b8d2e04f9640a2a Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:09:44 +0900
+Subject: [PATCH] Fix signed-int overflow in `stack_reallocate`
+
+This fixes CVE-2026-41257.
+
+CVE: CVE-2026-41257
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f]
+
+(cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/exec_stack.h | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/exec_stack.h b/src/exec_stack.h
+index 2a063e8..159c56e 100644
+--- a/src/exec_stack.h
++++ b/src/exec_stack.h
+@@ -2,8 +2,10 @@
+ #define EXEC_STACK_H
+ #include <stddef.h>
+ #include <stdint.h>
++#include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include "jv_alloc.h"
+
+ /*
+@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) {
+ }
+
+ static void stack_reallocate(struct stack* s, size_t sz) {
+-  int old_mem_length = -(s->bound) + ALIGNMENT;
+-  char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL;
++  size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT;
++  char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL;
+
+-  int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
++  size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
++  if (new_mem_length > INT_MAX) {
++    fprintf(stderr, "jq: error: cannot allocate memory\n");
++    abort();
++  }
+   char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length);
+   memmove(new_mem_start + (new_mem_length - old_mem_length),
+             new_mem_start, old_mem_length);
+   s->mem_end = new_mem_start + new_mem_length;
+-  s->bound = -(new_mem_length - ALIGNMENT);
++  s->bound = -(int)(new_mem_length - ALIGNMENT);
+ }
+
+ static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) {
+--
+2.44.4
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index c50ffc4cbe..917196d7b5 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2026-39979.patch \
     file://CVE-2026-40612.patch \
     file://CVE-2026-41256.patch \
+    file://CVE-2026-41257.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Wed Jun 10 07:52:52 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <spushpka@cisco.com>
X-Patchwork-Id: 89623
Return-Path: <spushpka@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 92A55CD98C8
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 07:53:36 +0000 (UTC)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73])
 by mx.groups.io with SMTP id smtpd.msgproc02-g2.15158.1781078007473404577
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 10 Jun 2026 00:53:27 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=QLnSjctZ;
 spf=pass (domain: cisco.com, ip: 173.37.86.73, mailfrom: spushpka@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=3553; q=dns/txt;
  s=iport01; t=1781078007; x=1782287607;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=CRiLtHwzvroeaNZofHLaiI8ICE8ZD1PrGsyWe6NhNg0=;
  b=QLnSjctZK9ILhw+3jm4mSllnrlDfOj+vUq0okUMUqo/RZA/QmxteOdpF
   WN/9n1UERqBSFFRaHUHZK27xZ0eAAnwQW0PngJShaA1KSUvC9DPF9uSXW
   OC6qde5mTso/eOLP5TQFsQVC8mCFoQnb+z3H4jaNVALw7dPKLFwXrhMXL
   Ie3S4Bo2uWJ5N3QuEFFZ33SlaMOZqnkcYgZouG1QMcQPG2GNS/Hwsrh/J
   hzZpQyg5XUHq4+e89IgyD8i0KLddZ3OYgcYEyGS+d5j/6ICzlmNRO7F3L
   QIvjOZSwvWO2oCQEBOrcerlWmWierMfd3c6D5Ev0NilF7RgoQfh7RiQWf
   g==;
X-CSE-ConnectionGUID: yqzcvGTcSxKiQTpL8/8ByQ==
X-CSE-MsgGUID: HWDTMDfLQj+05dtaScdLHQ==
X-IPAS-Result: 
 A0AaAADbFilq/4r/Ja1aHAEBAQEBAQcBARIBAQQEAQGBfAcBAQsBglZ0X0JJA4xwiVgDnhuBfg8BAQEPRA0EAQGFBgKNOgImNAkOAQIEAwIDAQEBAQEBAQEBAQELAQEFAQEBAgEHBYEOE4ZPDYZaAQIBAycLARgBLRAcAwECLysjCBmDAgGCcwIBEQaxfho3gXkzgQGDKAE/AkNQ2ysBCxQBBYEzAYU+iB5bGAGEegInGxuBcoEVg2iBBXdlAgIYgQ2GfgSCInoSgV0ehWKJEkiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYFKgTdogQKFECMfAzmBFYF6gShnaRUwNWwDCxgNSBEsNxQbBD5uB4w6Fw+COHsTASuCLE6lKKEPCiiDdIwhlToaM6prC5h8jgqWT4RogWg8gVlwFYMiCUoZD44qDguDYIUTwzYkNQIBAQcDLwEBBwIHDgMLgWiQAIF9AQE
IronPort-Data: A9a23:ANoGN63GvOIt5AsLAvbD5YNwkn2cJEfYwER7XKvMYLTBsI5bpzNRy
 mIcC2iEa6mDMWv9KN1zb4Ti9htU6sPRy9djSVRv3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t
 512huHodZ5yFjmH4E/xbtANlFEkvYmQXL3wFeXYDS54QA5gWU8JhAlq8wIDqtYAbeORXUXX5
 bsen+WFYAX7g2AtajpNg06+gEoHUMra6WtwUmMWPZinjHeG/1EJAZQWI72GLneQauF8Au6gS
 u/f+6qy92Xf8g1FIovNfmHTKxBirhb6ZGBiu1IOM0SQqkEqSh8ajs7XAMEhhXJ/0F1lqTzeJ
 OJl7vRcQS9xVkHFdX90vxNwS0mSNoUekFPLzOTWXcG7lyX7n3XQL/pGHVgkNpM3xu1MEUJPz
 MAADGBKPjqSvrfjqF67YrEEasULNsLnOsYb/3pn1zycVa9gSpHYSKKM7thdtNsyrpkRRrCFO
 IxDNGcpNU+QC/FMEg9/5JYWh/+1nXnncDRwo1OOrq1x6G/WpOB0+OSyYIOPIYHWHa25mG64m
 U762kj3JigYd4TCxSaMyXmgos/2yHaTtIU6UefQGuRRqFqLy2oeDRcbWVe2rby1h1CzX/pbK
 lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPBXy4PTyVKb5ots8peqSEW6
 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI=
IronPort-HdrOrdr: A9a23:TLQBGKyRq6LrKVFE7QR8KrPw9L1zdoMgy1knxilNoNJuHfBw8P
 re+8jzuiWUtN98YhwdcJW7Scu9qBDnhPpICPcqXYtKNTOO0ADDEGgh1/qG/9SKIUPDH4BmuZ
 uIWpIObuEYdWIK7vrS0U2fD8sqxsWB/eSDgOfTyGoocCRRApsQljuQzm2gYzZLrM4sP+tAKK
 ah
X-Talos-CUID: 
 9a23:utBuXmpjCB1EjL8d7lRpnWTmUdE8YHbD40vbGF+bCF9VUJnFDg+66Zoxxg==
X-Talos-MUID: 9a23:ilpk2AtgR49w2w1vbM2npA5OCOJE7YCXCgNVzJkasvKPOQhQAmLI
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.24,197,1774310400";
   d="scan'208";a="478123540"
Received: from rcdn-l-core-01.cisco.com ([173.37.255.138])
  by rcdn-iport-2.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 10 Jun 2026 07:53:26 +0000
Received: from sjc-ads-10443.cisco.com (sjc-ads-10443.cisco.com
 [171.70.96.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ciscoit-managed-infra-smtp-auth.cisco.com",
 Issuer "Internal Private TLS SubCA" (verified OK))
	by rcdn-l-core-01.cisco.com (Postfix) with ESMTPS id 77818180001EA;
	Wed, 10 Jun 2026 07:53:26 +0000 (GMT)
Received: by sjc-ads-10443.cisco.com (Postfix, from userid 1839047)
	id 23FCECC1282; Wed, 10 Jun 2026 00:53:26 -0700 (PDT)
From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <spushpka@cisco.com>
To: openembedded-devel@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
	Shubham Pushpkar <spushpka@cisco.com>
Subject: [meta-OE] [scarthgap] [PATCH 4/5] jq: Fix CVE-2026-43894
Date: Wed, 10 Jun 2026 00:52:52 -0700
Message-Id: <20260610075253.1676404-4-spushpka@cisco.com>
X-Mailer: git-send-email 2.35.6
In-Reply-To: <20260610075253.1676404-1-spushpka@cisco.com>
References: <20260610075253.1676404-1-spushpka@cisco.com>
MIME-Version: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Outbound-Client-TLS: VERIFIED;sjc-ads-10443.cisco.com
 [171.70.96.196];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com
X-Outbound-SMTP-Client: 171.70.96.196, sjc-ads-10443.cisco.com
X-Outbound-Node: rcdn-l-core-01.cisco.com
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 10 Jun 2026 07:53:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127512

From: Shubham Pushpkar <spushpka@cisco.com>

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43894.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 .../jq/jq/CVE-2026-43894.patch                | 56 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch
new file mode 100644
index 0000000000..0549128b7b
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch
@@ -0,0 +1,56 @@
+From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Wed, 13 May 2026 19:41:49 +0900
+Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS
+ (999999999)
+
+A signed-int overflow in decNumber's D2U macro lets huge literals write
+attacker-controlled bytes past a stack buffer. Cap the length before
+calling decNumberFromString, and pre-slice long strings in
+jv_dump_string_trunc so the resulting error message doesn't itself
+allocate a multi-GiB buffer. Fixes CVE-2026-43894.
+
+CVE: CVE-2026-43894
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4]
+
+(cherry picked from commit 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/jv.c       | 5 ++++-
+ src/jv_print.c | 4 ++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index 34573b8..26ccfc0 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -579,8 +579,11 @@
+ }
+
+ static jv jvp_literal_number_new(const char * literal) {
++  size_t len = strlen(literal);
++  if (len > DEC_MAX_DIGITS)
++    return JV_INVALID;
+
+-  jvp_literal_number * n = jvp_literal_number_alloc(strlen(literal));
++  jvp_literal_number * n = jvp_literal_number_alloc(len);
+
+   n->refcnt = JV_REFCNT_INIT;
+   n->literal_data = NULL;
+diff --git a/src/jv_print.c b/src/jv_print.c
+index 7f1e312..25540c5 100644
+--- a/src/jv_print.c
++++ b/src/jv_print.c
+@@ -387,6 +387,10 @@
+ }
+
+ char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) {
++  if (jv_get_kind(x) == JV_KIND_STRING &&
++      (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) {
++    x = jv_string_slice(x, 0, bufsize);
++  }
+   x = jv_dump_string(x,0);
+   const char* p = jv_string_value(x);
+   const size_t len = strlen(p);
+--
+2.44.4
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 917196d7b5..54fa9f096d 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -23,6 +23,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2026-40612.patch \
     file://CVE-2026-41256.patch \
     file://CVE-2026-41257.patch \
+    file://CVE-2026-43894.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
 

From patchwork Wed Jun 10 07:52:53 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE
 LIMITED at Cisco)" <spushpka@cisco.com>
X-Patchwork-Id: 89624
Return-Path: <spushpka@cisco.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8BB38CD8CB2
	for <webhook@archiver.kernel.org>; Wed, 10 Jun 2026 07:53:36 +0000 (UTC)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75])
 by mx.groups.io with SMTP id smtpd.msgproc01-g2.14955.1781078012974119322
 for <openembedded-devel@lists.openembedded.org>;
 Wed, 10 Jun 2026 00:53:33 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="dkim: message contains an insecure body length tag"
 header.i=@cisco.com header.s=iport01 header.b=M15YHwl9;
 spf=pass (domain: cisco.com, ip: 173.37.86.75, mailfrom: spushpka@cisco.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=cisco.com; i=@cisco.com; l=4779; q=dns/txt;
  s=iport01; t=1781078013; x=1782287613;
  h=from:to:cc:subject:date:message-id:in-reply-to:
   references:mime-version:content-transfer-encoding;
  bh=tlfYYyxVuu2wMAHYu+ccQeAo6pRB0Sr6GwZJGtZW06k=;
  b=M15YHwl9neru4dVzFAloqcpfPO8jmxiFezuS1aFgTK9dO+3RtBwRkesB
   uVcrJeWOQV6LFA6jb51b5bDyUmyr1H8Wiqz1K7lzEFT7zEoKeQmdiTICc
   7Dd36nz+jtxWHyy1f5Z1GXYxX2HBJMdbklxVvylYoc+tzmhrsdSU6yRBW
   FOioSYkXEyDqTt2ECOiLJAf37VenrTFb3N1NkoGl5xnD0yg3kUE4+Vfat
   D24rG8w5/H8OngWV54l9UUYgifc7+aki5kbMdCaQ002nY/cjnbuAEXi/w
   UXwgOMRhtlJqF4Zb9P99LwNzIm8yUWxv7b934qeP9K/1DOKCMBpAr6za1
   g==;
X-CSE-ConnectionGUID: QALtXqYwRdaTtAPX0WWyOQ==
X-CSE-MsgGUID: HH0rmxquQSm6HBEu5ZPkXg==
X-IPAS-Result: 
 A0BHAgBiFylq/4z/Ja1aHgEBCxIMggULgld0X0JJA5ZIA54bgX4PAQEBD0QNBAEBhQYCjToCJjQJDgECBAMCAwEBAQEBAQEBAQEBCwEBBQEBAQIBBwWBDhOGTw2GWgECAQMyARgBLRAcAwECLysjCBmDAgGCcwIBEQayAho3giyBAYMoAT8CQ1DbKwELFAEFgTOFP4geWxgBhHoCJxsbgXKBFYE7gi2BBXdlAgIYgR6GbQSCInoSgV0ehWKJEkiBHgNZLAFVEw0KCwcFgWYDNRIqFW4yHYEjPheBDBsHBYFKgTdogQKFECMfAzmBFYF6gShnaRUwNWwDCxgNSBEsNxQbBD5uB4w6Fw+COAF6EwEKIYFDaaV2oQ8KKIN0jCGVOhozqmsLmHyOCokPjUCEaIFoPIFZcBWDIglKGQ+OOINrhRPDNiQ1AgEBBwMvAQEHAgcOAwuBaJABgXwBAQ
IronPort-Data: A9a23:EHo+yqn1Eaulj9CcvYWgfnbo5gzRJ0RdPkR7XQ2eYbSJt1+Wr1Gzt
 xIXCGyDOfiPYGrwfo0laI6/pk5QvJeAyNEwTVZp/H1nEltH+JHPbTi7wugcHM8zwunrFh8PA
 xA2M4GYRCwMZiaC4E/raf658SUUOZigHtLUEPTDNj16WThqQSIgjQMLs+Mii+aEu/Dha++2k
 Y20+ZG31GONgWYubDpKsvrb8XuDgdyr0N8mlg1mDRx0lAe2e0k9VPo3Oay3Jn3kdYhYdsbSb
 /rD1ryw4lTC9B4rDN6/+p6jGqHdauePVeQmoiM+t5mK2nCulARrukoIHKZ0hXNsttm8t4sZJ
 OOhGnCHYVxB0qXkwIzxWvTDes10FfUuFLTveRBTvSEPpqHLWyOE/hlgMK05FbQx3vpHGFBRz
 /ARFCwkViDbuN2n54vuH4GAhux7RCXqFJkUtnclyXTSCuwrBMiYBa7L/tRfmjw3g6iiH96HO
 JFfMmUpNkmdJUQTYj/7C7pm9AusrmLnbiZYsFGcjaE2+GPUigd21dABNfKJK4bWH5wNxhfwS
 mTu30ShGBQKLcGm8j/b0liBm7L9pSDLV9dHfFG/3rsw6LGJ/UQUEBAQWF6xrPW1h0L7V99BJ
 kg8/is1sbN081SmSNT4VRC0rHOI+BkGVLJt//YS8gqBzO/Qpg2eHGVBFmUHY909v8hwTjsvv
 rOUo+7U6fVUmOX9YRqgGn2891te5QB9wbc+WBI5
IronPort-HdrOrdr: A9a23:wlnMtqrmZ8URnSGsF+KtH2kaV5rzeYIsimQD101hICG9vPb2qy
 nIpoV96faaslcssR0b9OxofZPwI080lqQFhbX5Q43DYOCOggLBR+tfBMnZsljd8kbFmNK1u5
 0NT0FWMqyXMbEDt7eY3CCIV/A93dKA7Kekwc3az3trUEVWTpsI1XYBNu5eeXcGPzWvwvECZe
 Kh2vY=
X-Talos-CUID: 9a23:b01tGG0Fq3/4RmBf4KBn17xfI+kBbk3E/WjqL0aEFU9ReOWqdk63wfYx
X-Talos-MUID: 9a23:9vc7QwiZxlvuYN9rxJ0SucMpFOcw+aG+EV00qpBYm+OpKHFCAzStg2Hi
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="6.24,197,1774310400";
   d="scan'208";a="492421009"
Received: from rcdn-l-core-03.cisco.com ([173.37.255.140])
  by rcdn-iport-4.cisco.com with ESMTP/TLS/TLS_AES_256_GCM_SHA384;
 10 Jun 2026 07:53:32 +0000
Received: from sjc-ads-10443.cisco.com (sjc-ads-10443.cisco.com
 [171.70.96.196])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "ciscoit-managed-infra-smtp-auth.cisco.com",
 Issuer "Internal Private TLS SubCA" (verified OK))
	by rcdn-l-core-03.cisco.com (Postfix) with ESMTPS id E770F180005A2;
	Wed, 10 Jun 2026 07:53:31 +0000 (GMT)
Received: by sjc-ads-10443.cisco.com (Postfix, from userid 1839047)
	id 94EBBCC1282; Wed, 10 Jun 2026 00:53:31 -0700 (PDT)
From: "Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco)"
 <spushpka@cisco.com>
To: openembedded-devel@lists.openembedded.org
Cc: xe-linux-external@cisco.com, to@cisco.com,
	Shubham Pushpkar <spushpka@cisco.com>
Subject: [meta-OE] [scarthgap] [PATCH 5/5] jq: Fix CVE-2026-43896
Date: Wed, 10 Jun 2026 00:52:53 -0700
Message-Id: <20260610075253.1676404-5-spushpka@cisco.com>
X-Mailer: git-send-email 2.35.6
In-Reply-To: <20260610075253.1676404-1-spushpka@cisco.com>
References: <20260610075253.1676404-1-spushpka@cisco.com>
MIME-Version: 1.0
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-Outbound-Client-TLS: VERIFIED;sjc-ads-10443.cisco.com
 [171.70.96.196];TLSv1.3;TLS_AES_256_GCM_SHA384;256;ciscoit-managed-infra-smtp-auth.cisco.com
X-Outbound-SMTP-Client: 171.70.96.196, sjc-ads-10443.cisco.com
X-Outbound-Node: rcdn-l-core-03.cisco.com
List-Id: <openembedded-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-devel@lists.openembedded.org>; Wed, 10 Jun 2026 07:53:36 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-devel/message/127513

From: Shubham Pushpkar <spushpka@cisco.com>

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-7. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-43896.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2

Reference:
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
 .../jq/jq/CVE-2026-43896.patch                | 97 +++++++++++++++++++
 meta-oe/recipes-devtools/jq/jq_1.7.1.bb       |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch

diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
new file mode 100644
index 0000000000..e9e6529372
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
@@ -0,0 +1,97 @@
+From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Tue, 5 May 2026 22:44:02 +0900
+Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow
+
+This fixes CVE-2026-43896.
+
+CVE: CVE-2026-43896
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2]
+
+Backport Changes:
+- Adapted the tests/jq.test hunk context to apply after the existing
+  jq 1.7.1 CVE regression tests in the scarthgap patch stack.
+- The upstream regression test used `reduce ... as $x` without wrapping
+  the `reduce` expression in parentheses. jq 1.7.1 parses that form as a
+  syntax error before the test can run.
+- Wrapped the `reduce range(...) ...` expression in an extra set of
+  parentheses so jq 1.7.1 first builds the nested object, then binds that
+  result to `$x` for the object merge depth-limit check.
+
+(cherry picked from commit 532ccea6080ed6758f39fe9f6208a44b665023d2)
+Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
+---
+ src/jv.c      | 25 +++++++++++++++++++++++--
+ tests/jq.test |  9 +++++++++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index 34573b8..b112757 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1884,16 +1884,33 @@ jv jv_object_merge(jv a, jv b) {
+   return a;
+ }
+
+-jv jv_object_merge_recursive(jv a, jv b) {
++#ifndef MAX_OBJECT_MERGE_DEPTH
++#define MAX_OBJECT_MERGE_DEPTH (10000)
++#endif
++
++static jv jvp_object_merge_recursive(jv a, jv b, int depth) {
+   assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+   assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+
++  if (depth > MAX_OBJECT_MERGE_DEPTH) {
++    jv_free(a);
++    jv_free(b);
++    return jv_invalid_with_msg(jv_string("Object merge too deep"));
++  }
++
+   jv_object_foreach(b, k, v) {
+     jv elem = jv_object_get(jv_copy(a), jv_copy(k));
+     if (jv_is_valid(elem) &&
+         JVP_HAS_KIND(elem, JV_KIND_OBJECT) &&
+         JVP_HAS_KIND(v, JV_KIND_OBJECT)) {
+-      a = jv_object_set(a, k, jv_object_merge_recursive(elem, v));
++      jv merged = jvp_object_merge_recursive(elem, v, depth + 1);
++      if (!jv_is_valid(merged)) {
++        jv_free(k);
++        jv_free(a);
++        jv_free(b);
++        return merged;
++      }
++      a = jv_object_set(a, k, merged);
+     } else {
+       jv_free(elem);
+       a = jv_object_set(a, k, v);
+@@ -1904,6 +1921,10 @@ jv jv_object_merge_recursive(jv a, jv b) {
+   return a;
+ }
+
++jv jv_object_merge_recursive(jv a, jv b) {
++  return jvp_object_merge_recursive(a, b, 0);
++}
++
+ /*
+  * Object iteration (internal helpers)
+  */
+diff --git a/tests/jq.test b/tests/jq.test
+index 86bfc56..a258c11 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2633,3 +2633,12 @@ true
+ try ((reduce range(10001) as $_ ([]; [.])) as $x | $x | contains($x)) catch .
+ null
+ "Containment check too deep"
++
++# regression test for CVE-2026-43896
++(reduce range(10000) as $_ ({}; {a: .})) as $x | $x * $x | length
++null
++1
++
++try ((reduce range(10001) as $_ ({}; {a: .})) as $x | $x * $x) catch .
++null
++"Object merge too deep"
+--
+2.44.4
diff --git a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
index 54fa9f096d..2fc47ef92c 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.7.1.bb
@@ -24,6 +24,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
     file://CVE-2026-41256.patch \
     file://CVE-2026-41257.patch \
     file://CVE-2026-43894.patch \
+    file://CVE-2026-43896.patch \
     "
 SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"