CVE-2026-41256
published 2026-05-11CVE-2026-41256: jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on…
PriorityP427medium5.5CVSS 3.1
AVLACLPRNUIRSUCNIHAN
EPSS
0.16%
5.3th percentile
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: embedded NUL truncates top-level jq programs loaded with -f
vendor_redhat·2026-05-11·CVSS 5.5
CVE-2026-41256 [MEDIUM] CWE-158 jq: embedded NUL truncates top-level jq programs loaded with -f
jq: embedded NUL truncates top-level jq programs loaded with -f
A flaw was found in jq, a command line JSON processor. Top-level jq programs loaded from a file using the `-f` flag are truncated at the first embedded NUL byte. This issue allows an attacker who can supply a crafted filter file to prematurely truncate the program, potentially bypassing filtering logic and modifying the integrity of the processed data.
Statement: To exploit this flaw, an attacker needs to supply a crafted filter file containing an embedded NUL byte to be loaded by jq using the `-f` flag. This allows the attacker to prematurely truncate the program, potentially bypassing intended filtering logic and modifying the integrity of the processed data. Due to these reasons, this issue has been rated with a moderate
VulDB
jqlang jq up to 1.8.1 JSON Parser null byte or nul character (GHSA-vf2h-chrj-q3fg)
vuldb·2026-05-11·CVSS 5.5
CVE-2026-41256 [MEDIUM] jqlang jq up to 1.8.1 JSON Parser null byte or nul character (GHSA-vf2h-chrj-q3fg)
A vulnerability marked as problematic has been reported in jqlang jq up to 1.8.1. The affected element is an unknown function of the component JSON Parser. Performing a manipulation results in improper neutralization of null byte or nul character.
This vulnerability is cataloged as CVE-2026-41256. The attack must be initiated from a local position. There is no exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f [fedora-all]
bugzilla·2026-05-14·CVSS 5.5
CVE-2026-41256 [MEDIUM] CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f [fedora-all]
CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f
bugzilla·2026-05-11·CVSS 2.9
CVE-2026-41256 [LOW] CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f
CVE-2026-41256 jq: embedded NUL truncates top-level jq programs loaded with -f
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
2026-05-11
Published