PT-2026-39710 · Jq · Jq
Klungler
·
Published
2026-05-11
·
Updated
2026-07-07
·
CVE-2026-41256
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
jq versions 1.8.1 and earlier
Description
Top-level programs loaded from a file using the '-f' flag are truncated at the first embedded NUL byte. A specially crafted filter file containing a NUL byte followed by an arbitrary suffix will compile and execute only the prefix preceding the NUL byte. This results in a prefix/full-buffer mismatch during the compilation path.
Recommendations
Update to a version later than 1.8.1.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jq