Skip to main content

jq CVE-2026-43895

| EUVDEUVD-2026-29173 MEDIUM
Improper Input Validation (CWE-20)
2026-05-11 GitHub_M
4.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative
Red Hat
4.4 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVE Published
May 11, 2026 - 17:24 nvd
MEDIUM 4.4

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

AnalysisAI

jq versions 1.8.1 and earlier allow local authenticated users to bypass import path validation through NUL byte injection, enabling access to unintended files and potential information disclosure. An attacker with local access can craft a jq script containing embedded NUL bytes in import paths that pass policy validation checks but resolve to arbitrary files on disk via C string operations, circumventing intended access controls.

Technical ContextAI

jq is a command-line JSON processor that supports module imports and data-file loading via import/include statements. The vulnerability stems from a mismatch between jq's language-level path handling (which accepts NUL bytes as valid characters) and the underlying C string operations used during filesystem resolution. C strings are NUL-terminated, so a path like 'safe/file\x00../../secret' is validated as 'safe/file' at the policy level but resolves to '../../secret' when passed to C functions like open(). This is a classic null-byte truncation attack against policy enforcement mechanisms (CWE-20: Improper Input Validation). The vulnerability affects the module system's ability to enforce access policies on which files jq can load.

RemediationAI

Update jq to the patched version released after 1.8.1 (exact version to be confirmed from GitHub security advisory GHSA-7q7g-mrq3-phxr at https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr). As an immediate compensating control, restrict filesystem permissions to prevent local users from accessing sensitive files that jq might load, enforce SELinux or AppArmor policies to limit jq's file access regardless of path resolution, and audit jq scripts for NUL byte usage (grep for '\x00', '\000', or null bytes in import statements). If jq must process untrusted scripts, run it in a strict chroot or container with minimal filesystem visibility. Note that these controls do not address the root cause but reduce exploitability.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-43895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy