CVE-2026-39956

CVSS v3.1

6.1

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Name of the Vulnerable Software and Affected Versions jq (affected versions not specified)

Description The strindices builtin in src/builtin.c passes arguments to jv string indexes() in src/jv.c without verifying they are strings. Because jv string indexes() relies on assert() checks that are removed in release builds compiled with -DNDEBUG, an attacker can cause a crash by providing input such as strindices(0). Additionally, by crafting a numeric value with an IEEE-754 bit pattern that maps to a specific pointer, a controlled pointer dereference and limited memory read/probe primitive can be achieved. This affects deployments that evaluate untrusted filters against a release build.

Recommendations Apply the fix provided in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

Exploit

Fix

Out of bounds Read

Type Confusion

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-843CWE-476

Related Identifiers

BDU:2026-05499

CVE-2026-39956

ECHO-70DE-E2DC-F745

OESA-2026-1981

OPENSUSE-SU-2026:10850-1

RHSA-2026:8579

USN-8202-1

USN-8202-2

Affected Products

Linuxmint

Ubuntu

CVE-2026-39956

Weakness Enumeration

Related Identifiers

Affected Products

References · 41