CVE-2026-30873

MEDIUM

OpenWrt Project jsonpath: Memory leak when processing strings, labels, and regexp tokens

Title source: cna

Description

OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to both 24.10.6 and 25.12.1, the jp_get_token function, which performs lexical analysis by breaking input expressions into tokens, contains a memory leak vulnerability when extracting string literals, field labels, and regular expressions using dynamic memory allocation. These extracted results are stored in a jp_opcode struct, which is later copied to a newly allocated jp_opcode object via jp_alloc_op. During this transfer, if a string was previously extracted and stored in the initial jp_opcode, it is copied to the new allocation but the original memory is never freed, resulting in a memory leak. This issue has been fixed in versions 24.10.6 and 25.12.1.

References (3)

[X_Refsource_Confirm] https://github.com/openwrt/openwrt/security/advisories/GHSA-rcc6-v4r6-gj4m

[X_Refsource_Misc] https://github.com/openwrt/openwrt/releases/tag/v24.10.6

[X_Refsource_Misc] https://github.com/openwrt/openwrt/releases/tag/v25.12.1

Scores

CVSS v3 4.9

EPSS 0.0002

EPSS Percentile 6.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (2)

openwrt/openwrt < 24.10.6 (2 CPE variants)

openwrt/openwrt >= 25.12.0-rc1, < 25.12.1

Published Mar 19, 2026

Tracked Since Mar 20, 2026