CVE-2026-33948: CWE-170: Improper Null Termination in jqlang jq
jq versions prior to commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where input parsing improperly handles embedded NUL bytes. The tool uses strlen() instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and only validate the prefix as JSON. This allows attackers to craft inputs with a valid JSON prefix followed by malicious trailing data that jq ignores but downstream consumers may process. This vulnerability has been patched in the specified commit.
AI Analysis
Technical Summary
The jq command-line JSON processor before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b improperly handles embedded NUL bytes in input. It uses strlen() to determine buffer length when reading JSON from files or stdin, truncating input at the first NUL byte and validating only the prefix as JSON. This enables validation bypass where malicious trailing data after the NUL byte is ignored by jq but may be processed by downstream consumers, leading to parser differential attacks. The issue is tracked as CVE-2026-33948 and has been fixed by the referenced commit.
Potential Impact
The vulnerability allows an attacker to bypass jq's JSON validation by embedding NUL bytes, causing jq to validate only a benign prefix of the input. Downstream consumers that process the full input including the ignored trailing data may be exposed to malicious content, potentially leading to security issues in workflows relying on jq for JSON validation. The CVSS score is low (2.9), indicating limited impact and exploitability.
Mitigation Recommendations
This vulnerability has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. Users should upgrade jq to a version that includes this fix. No other mitigation is indicated by the vendor advisory. Patch status is not explicitly stated beyond the commit, so verify the vendor's latest releases for the fix.
CVE-2026-33948: CWE-170: Improper Null Termination in jqlang jq
Description
jq versions prior to commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where input parsing improperly handles embedded NUL bytes. The tool uses strlen() instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and only validate the prefix as JSON. This allows attackers to craft inputs with a valid JSON prefix followed by malicious trailing data that jq ignores but downstream consumers may process. This vulnerability has been patched in the specified commit.
CVSS v4.0
Score 2.9low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jq command-line JSON processor before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b improperly handles embedded NUL bytes in input. It uses strlen() to determine buffer length when reading JSON from files or stdin, truncating input at the first NUL byte and validating only the prefix as JSON. This enables validation bypass where malicious trailing data after the NUL byte is ignored by jq but may be processed by downstream consumers, leading to parser differential attacks. The issue is tracked as CVE-2026-33948 and has been fixed by the referenced commit.
Potential Impact
The vulnerability allows an attacker to bypass jq's JSON validation by embedding NUL bytes, causing jq to validate only a benign prefix of the input. Downstream consumers that process the full input including the ignored trailing data may be exposed to malicious content, potentially leading to security issues in workflows relying on jq for JSON validation. The CVSS score is low (2.9), indicating limited impact and exploitability.
Mitigation Recommendations
This vulnerability has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. Users should upgrade jq to a version that includes this fix. No other mitigation is indicated by the vendor advisory. Patch status is not explicitly stated beyond the commit, so verify the vendor's latest releases for the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T19:50:52.105Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd83f182d89c981f8ff256
Added to database: 4/14/2026, 12:01:53 AM
Last enriched: 4/21/2026, 6:17:22 AM
Last updated: 5/29/2026, 6:23:56 PM
Views: 77
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.