Description
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
Published: 2026-04-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory disclosure and denial of service due to improper type checks in _strindices
Action: Patch immediately
AI Analysis

Impact

The vulnerability arises from the _strindices builtin passing arguments directly to a string indexer without validating that the input is actually a string. In a release build, missing assertions allow the function to dereference a pointer derived from an arbitrary numeric value. This results in a program crash, and by crafting a numeric payload that maps to a chosen IEEE‑754 bit pattern, an attacker can read small amounts of memory around that pointer. The effect is a denial‑of‑service condition and limited memory disclosure. The weakness maps to dereference of null or invalid pointers and misuse of type casting.

Affected Systems

The affected product is jq, a command‑line JSON processor maintained by the jqlang community. All jq releases built after commit 69785bf77f86e2ea1b4a20ca86775916889e91c9, up to the patched commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03, are vulnerable. Specific version ranges are not enumerated but any distribution package containing jq built from source before the patch is susceptible.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower exploitation probability in the wild. The attack vector is likely local: a user who can supply or influence a jq filter can trigger the crash or trigger the memory read primitive. In contexts where jq processes untrusted input in a server or privileged environment, the danger escalates to a remote denial‑of‑service. The exploitation requires only the presence of a vulnerable jq binary and crafted input, making it relatively easy to perform once the target is known.

Generated by OpenCVE AI on April 13, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update jq to a version containing commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03 or later
  • Verify that the installed jq binary has been built without the -DNDEBUG define and includes the patch
  • If an immediate upgrade is not possible, restrict the execution of jq to trusted input only or run it in a sandboxed environment
  • Consider using stricter input validation around JSON filters before passing them to jq

Generated by OpenCVE AI on April 13, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Mon, 13 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
Title jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure
Weaknesses CWE-125
CWE-476
CWE-843
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:28:19.908Z

Reserved: 2026-04-07T22:40:33.822Z

Link: CVE-2026-39956

cve-icon Vulnrichment

Updated: 2026-04-14T15:34:38.645Z

cve-icon NVD

Status : Received

Published: 2026-04-13T23:16:27.653

Modified: 2026-04-14T17:16:52.203

Link: CVE-2026-39956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:53Z

Weaknesses