PT-2026-39710 · Jq · Jq

Klungler

·

Published

2026-05-11

·

Updated

2026-07-07

·

CVE-2026-41256

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier
Description Top-level programs loaded from a file using the '-f' flag are truncated at the first embedded NUL byte. A specially crafted filter file containing a NUL byte followed by an arbitrary suffix will compile and execute only the prefix preceding the NUL byte. This results in a prefix/full-buffer mismatch during the compilation path.
Recommendations Update to a version later than 1.8.1.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41256
ECHO-0FBB-9CA8-7649
GHSA-VF2H-CHRJ-Q3FG
OESA-2026-2424
OESA-2026-2425
OESA-2026-2426
OESA-2026-2427
OESA-2026-2487
OPENSUSE-SU-2026:10850-1
OPENSUSE-SU-2026:21248-1
SUSE-SU-2026:22545-1

Affected Products

Jq