What is the CVSS score of CVE-2026-41256?

CVE-2026-41256 has a CVSS 3.1 base score of 5.5 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-41256?

Yes, a patch is available for CVE-2026-41256. Update the affected software to the latest version immediately.

jq CVE-2026-41256

EUVD-2026-29162 MEDIUM

Improper Neutralization of Null Byte or NUL Character (CWE-158)

2026-05-11 GitHub_M

Information Disclosure Red Hat

5.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 11, 2026 - 18:47 vuln.today

CVE Published

May 11, 2026 - 17:18 nvd

MEDIUM 5.5

DescriptionNVD

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

AnalysisAI

Jq 1.8.1 and earlier truncate filter files at the first embedded NUL byte when loaded with -f, causing only the prefix before the NUL to execute. A crafted filter file containing a NUL byte and arbitrary suffix allows an attacker to inject malicious code that compiles and runs silently, bypassing intended filter logic and potentially modifying JSON output in undetected ways. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory