CVE-2026-33948
published 2026-04-14CVE-2026-33948: jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.26%
16.8th percentile
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jqlang | jq | < 2026-04-12 | 2026-04-12 |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | <= 1.8.1 | — |
| ubuntu | jq | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.02.9LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_ubuntu8.2HIGH
vendor_redhat2.9LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
jq regression
vendor_ubuntu·2026-05-21·CVSS 7.5
CVE-2026-40164 [HIGH] jq regression
Title: jq regression
Summary: USN-8202-1 introduced a regression in jq
USN-8202-1 fixed vulnerabilities in jq. The update caused a regression
for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue was addressed in Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu
24.04 LTS and Ubuntu 25.10. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-33947)
It was
Ubuntu
jq vulnerabilities
vendor_ubuntu·2026-04-28·CVSS 8.2
CVE-2026-33948 [HIGH] jq vulnerabilities
Title: jq vulnerabilities
Summary: Several security issues were fixed in jq.
USN-8202-1 fixed vulnerabilities in jq. This update provides the
corresponding update to Ubuntu 26.04 LTS.
Original advisory details:
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated
strings. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2026-33948)
It was disco
Ubuntu
jq vulnerabilities
vendor_ubuntu·2026-04-23·CVSS 8.2
CVE-2026-32316 [HIGH] jq vulnerabilities
Title: jq vulnerabilities
Summary: Several security issues were fixed in jq.
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue was addressed in Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu
24.04 LTS and Ubuntu 25.10. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated
strings. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. This issue was addressed in Ubu
Red Hat
jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks
vendor_redhat·2026-04-13·CVSS 2.9
CVE-2026-33948 [LOW] CWE-170 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks
jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks
A flaw was found in jq, a command-line JSON processor. This vulnerability allows a remote attacker to bypass input validation by crafting malicious JSON input containing embedded null (NUL) bytes. Due to incorrect handling of input buffer lengths, jq truncates the input at the first NUL byte, validating only the benign prefix and silently discarding any malicious data that follows. This can lead to parser differential attacks where downstream systems, relying on jq for validation, may process the full, unvalidated input, potentially leading to unexpected behavior or security compromises.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the
VulDB
jqlang jq strlen null termination (GHSA-32cx-cvvh-2wj9 / Nessus ID 307506)
vuldb·2026-04-20·CVSS 2.9
CVE-2026-33948 [LOW] jqlang jq strlen null termination (GHSA-32cx-cvvh-2wj9 / Nessus ID 307506)
A vulnerability marked as critical has been reported in jqlang jq. This affects the function strlen. Performing a manipulation results in improper null termination.
This vulnerability is cataloged as CVE-2026-33948. It is possible to initiate the attack remotely. There is no exploit available.
It is suggested to install a patch to address this issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f
bugzilla·2026-05-11·CVSS 2.9
CVE-2026-41256 [LOW] CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f
CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
Bugzilla
CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks [fedora-all]
bugzilla·2026-04-14·CVSS 2.9
CVE-2026-33948 [LOW] CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks [fedora-all]
CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks
bugzilla·2026-04-14·CVSS 2.9
CVE-2026-33948 [LOW] CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks
CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks
jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to dow
2026-04-14
Published