CVE-2026-41256

Exploit

EPSS 0.16%
Veröffentlicht 11.05.2026 18:16:33
Zuletzt bearbeitet 13.05.2026 17:00:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

jq: Embedded NUL truncates top-level jq programs loaded with -f

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jqlang ≫ Jq Version <= 1.8.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.053

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-158 Improper Neutralization of Null Byte or NUL Character

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-41256

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41256

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41256

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41256