CVE-2026-39956Out-of-bounds Read in JQ

CWE-125Out-of-bounds ReadCWE-476NULL Pointer DereferenceCWE-843Type ConfusionCWE-1287Improper Validation of Specified Type of Input5 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 98.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedApr 13
Latest updateApr 14

Description

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern map

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:HExploitability: 1.8 | Impact: 4.2

Affected Packages1 packages

CVEListV5jqlang/jq>= 69785bf77f86e2ea1b4a20ca86775916889e91c9, < fdf8ef0f0810e3d365cdd5160de43db46f57ed03

🔴Vulnerability Details

1
CVEList
jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure2026-04-13

📋Vendor Advisories

1
Red Hat
jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure2026-04-13

💬Community

2
Bugzilla
CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all]2026-04-14
Bugzilla
CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure2026-04-13
CVE-2026-39956 — Out-of-bounds Read in Jqlang JQ | cvebase