CVE-2026-41256

EUVD-2026-29162

11.05.2026, 18:16

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
jqlang	jq	𝑥 ≤ 1.8.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

jq

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	1.6-2.1+deb11u2 fixed
forky	1.8.1-8 fixed
sid	1.8.2-1 fixed
trixie	no-dsa

Azure Linux Releases

Azure Package

Release

jq

Azure Linux 3.0

0:1.7.1-6.azl3

fixed

Known Exploits!

Common Weakness Enumeration

CWE-158 - Improper Neutralization of Null Byte or NUL Character
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

References

https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg