CVE-2026-39956: CWE-125: Out-of-bounds Read in jqlang jq
A vulnerability in jq, a command-line JSON processor, allows an attacker to cause an out-of-bounds read and crash the application by passing non-string arguments to the _strindices builtin. This occurs because argument type checks are only enforced by asserts that are disabled in release builds. The flaw enables controlled pointer dereference and limited memory read. The issue affects jq versions after commit 69785bf7 and before commit fdf8ef0f0. A patch fixing this vulnerability has been committed. The CVSS score is 6. 1, indicating medium severity.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-39956) in jq arises from the _strindices builtin passing arguments directly to jv_string_indexes() without verifying they are strings. The jv_string_indexes() function relies on assert() checks that are removed in release builds compiled with -DNDEBUG, allowing attackers to crash jq with crafted input such as _strindices(0). Furthermore, by crafting a numeric value whose IEEE-754 bit pattern corresponds to a chosen pointer, an attacker can achieve controlled pointer dereference and limited memory read. This vulnerability affects jq versions from commit 69785bf7 up to but not including commit fdf8ef0f0. The issue has been patched in commit fdf8ef0f0.
Potential Impact
An attacker who can supply untrusted jq filters to a release build of jq can cause the application to crash (denial of service) and potentially read limited memory contents through controlled pointer dereference. There is no indication of code execution or integrity impact. The vulnerability requires local access to run jq with crafted input and user interaction (UI:R). The CVSS vector indicates low attack complexity and no privileges required but user interaction is needed.
Mitigation Recommendations
A patch fixing this vulnerability has been committed in jq at commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03. Users should upgrade to a version including this commit or later. Until patched, avoid evaluating untrusted jq filters in release builds. Patch status is confirmed by the vendor commit reference.
CVE-2026-39956: CWE-125: Out-of-bounds Read in jqlang jq
Description
A vulnerability in jq, a command-line JSON processor, allows an attacker to cause an out-of-bounds read and crash the application by passing non-string arguments to the _strindices builtin. This occurs because argument type checks are only enforced by asserts that are disabled in release builds. The flaw enables controlled pointer dereference and limited memory read. The issue affects jq versions after commit 69785bf7 and before commit fdf8ef0f0. A patch fixing this vulnerability has been committed. The CVSS score is 6. 1, indicating medium severity.
CVSS v3.1
Score 6.1medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-39956) in jq arises from the _strindices builtin passing arguments directly to jv_string_indexes() without verifying they are strings. The jv_string_indexes() function relies on assert() checks that are removed in release builds compiled with -DNDEBUG, allowing attackers to crash jq with crafted input such as _strindices(0). Furthermore, by crafting a numeric value whose IEEE-754 bit pattern corresponds to a chosen pointer, an attacker can achieve controlled pointer dereference and limited memory read. This vulnerability affects jq versions from commit 69785bf7 up to but not including commit fdf8ef0f0. The issue has been patched in commit fdf8ef0f0.
Potential Impact
An attacker who can supply untrusted jq filters to a release build of jq can cause the application to crash (denial of service) and potentially read limited memory contents through controlled pointer dereference. There is no indication of code execution or integrity impact. The vulnerability requires local access to run jq with crafted input and user interaction (UI:R). The CVSS vector indicates low attack complexity and no privileges required but user interaction is needed.
Mitigation Recommendations
A patch fixing this vulnerability has been committed in jq at commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03. Users should upgrade to a version including this commit or later. Until patched, avoid evaluating untrusted jq filters in release builds. Patch status is confirmed by the vendor commit reference.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T22:40:33.822Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd6ed782d89c981f72b22a
Added to database: 4/13/2026, 10:31:51 PM
Last enriched: 4/21/2026, 6:15:26 AM
Last updated: 5/27/2026, 10:35:10 PM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.