{"id":"AZL-57376","summary":"CVE-2024-53427 affecting package jq for versions less than 1.7.1-2","details":"decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., \"1 NaN123\" immediately followed by many more digits).","modified":"2026-04-21T04:36:54.844427Z","published":"2025-02-26T16:15:16Z","upstream":["CVE-2024-53427"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53427"}],"affected":[{"package":{"name":"jq","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/jq"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.1-2"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-57376.json"}}],"schema_version":"1.7.5"}