CVE-2026-39956
published 2026-04-13CVE-2026-39956: jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its…
PriorityP424medium6.1CVSS 3.1
AVLACLPRNUIRSUCLINAH
EPSS
0.17%
7.1th percentile
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jqlang | jq | — | — |
| jqlang | jq | >= 2026-04-02 < 2026-04-08 | 2026-04-08 |
| ubuntu | jq | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
vendor_ubuntu8.2HIGH
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
jq regression
vendor_ubuntu·2026-05-21·CVSS 7.5
CVE-2026-40164 [HIGH] jq regression
Title: jq regression
Summary: USN-8202-1 introduced a regression in jq
USN-8202-1 fixed vulnerabilities in jq. The update caused a regression
for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue was addressed in Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu
24.04 LTS and Ubuntu 25.10. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-33947)
It was
Ubuntu
jq vulnerabilities
vendor_ubuntu·2026-04-28·CVSS 8.2
CVE-2026-33948 [HIGH] jq vulnerabilities
Title: jq vulnerabilities
Summary: Several security issues were fixed in jq.
USN-8202-1 fixed vulnerabilities in jq. This update provides the
corresponding update to Ubuntu 26.04 LTS.
Original advisory details:
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated
strings. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2026-33948)
It was disco
Ubuntu
jq vulnerabilities
vendor_ubuntu·2026-04-23·CVSS 8.2
CVE-2026-32316 [HIGH] jq vulnerabilities
Title: jq vulnerabilities
Summary: Several security issues were fixed in jq.
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. This issue was addressed in Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu
24.04 LTS and Ubuntu 25.10. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated
strings. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. This issue was addressed in Ubu
Red Hat
jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure
vendor_redhat·2026-04-13·CVSS 6.1
CVE-2026-39956 [MEDIUM] CWE-1287 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure
jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure
A flaw was found in jq, a command line JSON processor. In release builds, the `_strindices` builtin function calls the `jv_string_indexes` function without checking that the arguments are actually strings. This missing validation allows an attacker who can supply non-string inputs to cause an application crash and a limited memory read.
Statement: To exploit this flaw, a user needs to process JSON input with an attacker-supplied argument to the `_strindices` builtin. This allows the attacker to cause an application crash and a limited memory read with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.
Mitigation: Do not use untrusted input
VulDB
jqlang jq src/builtin.c jv_string_indexes out-of-bounds (GHSA-6gc3-3g9p-xx28 / Nessus ID 307503)
vuldb·2026-04-20·CVSS 6.1
CVE-2026-39956 [MEDIUM] jqlang jq src/builtin.c jv_string_indexes out-of-bounds (GHSA-6gc3-3g9p-xx28 / Nessus ID 307503)
A vulnerability has been found in jqlang jq and classified as problematic. Impacted is the function jv_string_indexes of the file src/builtin.c. This manipulation causes out-of-bounds read.
This vulnerability is handled as CVE-2026-39956. It is possible to launch the attack on the local host. There is not any exploit available.
It is suggested to install a patch to address this issue.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all]
bugzilla·2026-04-14·CVSS 6.1
CVE-2026-39956 [MEDIUM] CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all]
CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure
bugzilla·2026-04-13·CVSS 6.1
CVE-2026-39956 [MEDIUM] CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure
CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerabl
2026-04-13
Published