CVE-2026-33948

Name of the Vulnerable Software and Affected Versions jq versions prior to commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b

Description CLI input parsing allows validation bypass via embedded NUL bytes when reading JSON from files or stdin. The software uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing input to be truncated at the first NUL byte and parsing only the preceding prefix. This allows an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data; the system validates only the prefix as valid JSON while silently discarding the suffix. Workflows that rely on the tool to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, where consumers may process the full input including the malicious trailing bytes.

Recommendations Update to the version containing commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.