CVE-2026-33948: CWE-170: Improper Null Termination in jqlang jq
jq versions prior to commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where input parsing can be bypassed using embedded NUL bytes. The tool uses strlen() to determine input length, causing it to truncate JSON input at the first NUL byte and only validate the prefix. This allows malicious trailing data after the NUL byte to be ignored during validation but potentially processed by downstream consumers. This vulnerability has been patched in the specified commit. The CVSS score is low, reflecting limited impact and complexity.
AI Analysis
Technical Summary
The jq command-line JSON processor had a vulnerability (CVE-2026-33948) in versions before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b where it used strlen() to determine the length of JSON input read via fgets(). This caused jq to truncate input at the first embedded NUL byte, validating only the prefix of the JSON input and ignoring any trailing data after the NUL byte. Attackers could craft inputs with a benign JSON prefix followed by malicious trailing data after a NUL byte, bypassing jq's validation. This could lead to parser differential attacks where downstream consumers process the full malicious input, despite jq's validation passing. The issue is addressed by the mentioned commit, which corrects input length handling.
Potential Impact
The vulnerability allows attackers to bypass jq's JSON validation by embedding NUL bytes, causing jq to ignore trailing malicious data. This can lead to downstream consumers processing unvalidated, potentially malicious JSON data. However, the impact is limited by the low CVSS score (2.9) and the requirement that downstream consumers process the full input including the ignored suffix. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability has been fixed by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. Users should upgrade jq to a version that includes this commit or later. Patch status is not explicitly stated beyond the commit, so verify the vendor's latest releases for the fix. No additional mitigation is required if the patched version is used.
CVE-2026-33948: CWE-170: Improper Null Termination in jqlang jq
Description
jq versions prior to commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where input parsing can be bypassed using embedded NUL bytes. The tool uses strlen() to determine input length, causing it to truncate JSON input at the first NUL byte and only validate the prefix. This allows malicious trailing data after the NUL byte to be ignored during validation but potentially processed by downstream consumers. This vulnerability has been patched in the specified commit. The CVSS score is low, reflecting limited impact and complexity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jq command-line JSON processor had a vulnerability (CVE-2026-33948) in versions before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b where it used strlen() to determine the length of JSON input read via fgets(). This caused jq to truncate input at the first embedded NUL byte, validating only the prefix of the JSON input and ignoring any trailing data after the NUL byte. Attackers could craft inputs with a benign JSON prefix followed by malicious trailing data after a NUL byte, bypassing jq's validation. This could lead to parser differential attacks where downstream consumers process the full malicious input, despite jq's validation passing. The issue is addressed by the mentioned commit, which corrects input length handling.
Potential Impact
The vulnerability allows attackers to bypass jq's JSON validation by embedding NUL bytes, causing jq to ignore trailing malicious data. This can lead to downstream consumers processing unvalidated, potentially malicious JSON data. However, the impact is limited by the low CVSS score (2.9) and the requirement that downstream consumers process the full input including the ignored suffix. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability has been fixed by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. Users should upgrade jq to a version that includes this commit or later. Patch status is not explicitly stated beyond the commit, so verify the vendor's latest releases for the fix. No additional mitigation is required if the patched version is used.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.105Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd83f182d89c981f8ff256
Added to database: 4/14/2026, 12:01:53 AM
Last enriched: 4/14/2026, 12:17:01 AM
Last updated: 4/14/2026, 8:06:33 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.