Description
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Published: 2026-04-13
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory disclosure or crash
Action: Apply patch
AI Analysis

Impact

The issue originates from an out‑of‑bounds read that occurs in the error‑handling path of the jv_parse_sized() API when it formats a counted buffer with the %s specifier, ignoring the supplied length. Because the format expects a NUL‑terminated string, reading past the buffer boundary can expose arbitrary memory contents or cause an application termination. This flaw is identified as a classic out‑of‑bounds read (CWE‑125) and would only be triggered when malformed JSON that lacks a NUL terminator is processed.

Affected Systems

Any installation of jq that includes libjq code prior to commit 2f09060afab23fe9390cce7cb860b10416e1bf5f is affected. This encompasses all versions of the command‑line tool and any program that links against the older libjq library and calls jv_parse_sized() with external input. The patch removes the vulnerable string formatting and correctly respects the buffer length, restoring safe error construction.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. Based on the description, the vulnerability can be reached by any program or service that supplies untrusted JSON to the library. Thus the attack vector is effectively any context where external data is parsed—such as command line usage, web servers, or embedded scripts. Exploitation would require an attacker to craft malformed, non‑NUL‑terminated JSON; this yields either a memory disclosure or a crash. The absence of an EPSS score and lack of listing in CISA’s KEV catalog suggests no known widespread exploitation, but the issue remains reachable and potentially damaging.

Generated by OpenCVE AI on April 13, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of jq that includes commit 2f09060afab23fe9390cce7cb860b10416e1bf5f or later.
  • If an upgrade is not immediately possible, avoid feeding untrusted JSON to the library or ensure that buffers are properly NUL‑terminated before parsing.
  • Monitor applications for unexpected crashes or anomalous memory reads and review logs for potential exploitation attempts.
  • Check the jq project’s release notes for the latest security patches and apply them as soon as possible.

Generated by OpenCVE AI on April 13, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Title jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:43:15.227Z

Reserved: 2026-04-08T00:01:47.628Z

Link: CVE-2026-39979

cve-icon Vulnrichment

Updated: 2026-04-14T13:43:05.927Z

cve-icon NVD

Status : Received

Published: 2026-04-13T23:16:27.823

Modified: 2026-04-14T15:16:37.047

Link: CVE-2026-39979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:32:52Z

Weaknesses