Skip to main content

jq CVE-2026-41256

| EUVDEUVD-2026-29162 MEDIUM
Improper Neutralization of Null Byte or NUL Character (CWE-158)
2026-05-11 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVE Published
May 11, 2026 - 17:18 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

AnalysisAI

Jq 1.8.1 and earlier truncate filter files at the first embedded NUL byte when loaded with -f, causing only the prefix before the NUL to execute. A crafted filter file containing a NUL byte and arbitrary suffix allows an attacker to inject malicious code that compiles and runs silently, bypassing intended filter logic and potentially modifying JSON output in undetected ways. This represents a post-CVE-2026-33948 regression on the compilation path.

Technical ContextAI

Jq is a command-line JSON processor that accepts filter programs via -f flag to read from files. The vulnerability stems from improper NUL byte handling during file parsing on the compilation path. CWE-158 (Improper Neutralization of Null Byte or NUL Character) indicates the root cause: the filter file parser does not correctly handle embedded NUL bytes that truncate the filter string. The JSON parser path was previously fixed in CVE-2026-33948, but the compilation path retained the vulnerability. When a filter file is read, the code encounters a NUL byte mid-file and treats it as a string terminator, causing the remainder of the file to be silently ignored. This creates a semantic mismatch: the compiled program executes the truncated filter while subsequent content in the file is never processed.

RemediationAI

Upgrade to a patched version of jq released after 1.8.1 once available from the jqlang project. Until a patch is released, implement compensating controls: validate filter files before execution by ensuring they do not contain embedded NUL bytes (scan incoming filter files with hex editors or custom scripts to reject or sanitize files containing \x00 sequences), restrict -f flag usage to administrator-controlled filter files stored in protected directories with strict file permissions, and avoid executing jq -f with filter files sourced from untrusted inputs or user-supplied sources. If jq is used in automated pipelines, implement a pre-execution filter file integrity check that rejects any file containing NUL bytes. Consult the GitHub security advisory at https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg for patch availability and timeline.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-41256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy