CVE-2015-8863

CRITICALNVD 9.89.8—

9.8

Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

CVSS v3: 9.8
EG Score: 9.8(medium)
EPSS: 93.4%
KEV: Not listed

Published

May 6, 2016

Last Modified

May 6, 2026

Advisory Details (8)

Auto-updated May 8, 2026

Patch available.

generic

Heap-based buffer overflow in check_literal() · Issue #995 · jqlang/jq · GitHub

https://github.com/stedolan/jq/issues/995

generic

Heap buffer overflow in tokenadd() (fix #105) · jqlang/jq@8eb1367 · GitHub

https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd

generic Patch Available

#802231 - jq: CVE-2015-8863: Heap buffer overflow in tokenadd() - Debian Bug report logs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802231

generic

oss-security - Re: CVE Request: jq: heap buffer overflow in tokenadd() function

http://www.openwall.com/lists/oss-security/2016/04/23/2

generic

oss-security - CVE Request: jq: heap buffer overflow in tokenadd() function

http://www.openwall.com/lists/oss-security/2016/04/23/1

generic

http://rhn.redhat.com/errata/RHSA-2016-1106.html

generic

http://rhn.redhat.com/errata/RHSA-2016-1099.html

generic

http://rhn.redhat.com/errata/RHSA-2016-1098.html

Frequently asked(5)

What is CVE-2015-8863?

CVE-2015-8863 is a critical vulnerability published on May 6, 2016. Off-by-one error in the tokenadd function in jv_parse.c in jq allows remote attackers to cause a denial of service (crash) via a long JSON-encoded number, which triggers a heap-based buffer overflow.

When was CVE-2015-8863 disclosed?

CVE-2015-8863 was first published in the National Vulnerability Database on May 6, 2016, with the most recent update on May 6, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2015-8863 actively exploited?

CVE-2015-8863 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 93.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2015-8863?

CVE-2015-8863 has a CVSS v3 base score of 9.8 (NVD).

How do I remediate CVE-2015-8863?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2015-8863, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2015-8863

Explore →

Is Your Infrastructure Affected by CVE-2015-8863?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2015-8863

📅 Published

🔄 Last Modified

📋 Advisory Details (8)

Heap-based buffer overflow in check_literal() · Issue #995 · jqlang/jq · GitHub

Heap buffer overflow in tokenadd() (fix #105) · jqlang/jq@8eb1367 · GitHub

#802231 - jq: CVE-2015-8863: Heap buffer overflow in tokenadd() - Debian Bug report logs

oss-security - Re: CVE Request: jq: heap buffer overflow in tokenadd() function

oss-security - CVE Request: jq: heap buffer overflow in tokenadd() function

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2015-8863?

🔗 Related CVEs(same vendor)

Same vendor

Published

Last Modified

Advisory Details (8)

Frequently asked(5)

Related CVEs(same vendor)