Description
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
Published: 2026-04-13
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Input validation bypass enabling malicious data to slip past jq while still being processed by downstream consumers
Action: Immediate Patch
AI Analysis

Impact

jq, a command‑line JSON processor, previously used strlen() instead of the actual byte count from fgets() when reading JSON from files or standard input. This caused the program to truncate data at the first NUL byte and parse only the preceding prefix. An attacker can therefore craft input that begins with a benign JSON string, inserts a NUL byte, and appends malicious trailing data. The truncated portion is silently discarded, so jq accepts the input as valid JSON, but downstream consumers that read the full data will still process the malicious suffix. This vulnerability permits a parser differential attack that can bypass validation logic but still exploit downstream services.

Affected Systems

The affected vendor is jqlang and the product is jq. All jq releases before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b are vulnerable. No specific product version numbers are provided; any pre‑commit revision of jq is at risk.

Risk and Exploitability

The CVSS score for this issue is 2.9, indicating low severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying it is not actively exploited at large scale. The likely attack vector is local: any user who can execute jq with crafted input can trigger the vulnerability. Because the flaw requires only a malicious JSON payload passed to jq, exploitation is straightforward for an attacker who can influence input to jq, such as in scripts, CI pipelines, or user‑supplied files.

Generated by OpenCVE AI on April 14, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jq to a release that includes commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b or later.
  • If an immediate upgrade is not possible, use an external JSON validator or sanitization step before passing data to jq or downstream consumers to ensure no hidden data follows a NUL byte.
  • Verify that downstream services do not process raw input after jq and adjust input handling to reject data containing NUL bytes.

Generated by OpenCVE AI on April 14, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8202-2 jq vulnerabilities
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N'}

threat_severity

Low

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
Title jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input
Weaknesses CWE-170
CWE-20
References
Metrics cvssV4_0

{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:53:38.340Z

Reserved: 2026-03-24T19:50:52.105Z

Link: CVE-2026-33948

cve-icon Vulnrichment

Updated: 2026-04-14T15:53:26.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T00:16:06.867

Modified: 2026-04-21T23:48:10.020

Link: CVE-2026-33948

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-13T23:51:04Z

Links: CVE-2026-33948 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:02Z

Weaknesses