Description
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
Published: 2026-05-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In jq versions 1.8.1 and earlier, a filter file loaded with the -f option is truncated at the first NUL byte. A crafted file containing a legitimate prefix, a NUL byte, and arbitrary suffix compiles and executes only the prefix, leaving jq with a prefix/full-buffer mismatch on the compilation path. The resulting mismatch could lead to unpredictable execution of the filter logic or a denial of service, but current evidence does not demonstrate remote code execution.

Affected Systems

The vulnerable software is jq, version 1.8.1 and earlier, distributed by jqlang:jq. Any system running these versions that allows users to supply filter files via the -f option is exposed.

Risk and Exploitability

The CVSS score of 5.5 reflects a moderate impact. EPSS is not available and the vulnerability is not listed in CISA KEV. Attackers must be able to supply a filter file to jq; therefore the attack vector is local or via an application that uses jq. Once the file is processed, the truncation can lead to unexpected behavior or denial of service but does not by itself grant arbitrary code execution.

Generated by OpenCVE AI on May 11, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jq to a version that fixes the NUL truncation bug (1.8.2 or later).
  • Prior to execution, sanitize any filter files supplied via -f by removing or rejecting embedded NUL bytes.
  • Restrict write permissions on directories from which jq accepts filter files to trusted users only.

Generated by OpenCVE AI on May 11, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4599-1 jq security update
History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 13 May 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
Title jq: Embedded NUL truncates top-level jq programs loaded with -f
Weaknesses CWE-158
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:13:15.235Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41256

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T18:16:33.983

Modified: 2026-05-13T17:00:49.953

Link: CVE-2026-41256

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-11T17:18:30Z

Links: CVE-2026-41256 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:30:15Z

Weaknesses
  • CWE-158

    Improper Neutralization of Null Byte or NUL Character