CVE-2026-33948Improper Input Validation in JQ

CWE-20Improper Input ValidationCWE-170Improper Null Termination5 documents4 sources
Severity
2.9LOWNVD
EPSS
0.1%
top 73.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedApr 14

Description

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5jqlang/jq< 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b

🔴Vulnerability Details

1
CVEList
jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input2026-04-13

📋Vendor Advisories

1
Red Hat
jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks2026-04-13

💬Community

2
Bugzilla
CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks [fedora-all]2026-04-14
Bugzilla
CVE-2026-33948 jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks2026-04-14
CVE-2026-33948 — Improper Input Validation in Jqlang JQ | cvebase