CVE-2026-39956: CWE-125: Out-of-bounds Read in jqlang jq
A vulnerability (CVE-2026-39956) exists in jq, a command-line JSON processor, where the _strindices builtin passes arguments to jv_string_indexes() without verifying they are strings. This leads to out-of-bounds reads and potential controlled pointer dereference in release builds compiled with -DNDEBUG, allowing attackers to crash jq or perform limited memory reads. The issue affects jq versions after commit 69785bf7 up to but not including commit fdf8ef0f0, where it was patched. The vulnerability has a CVSS score of 6. 1 (medium severity).
AI Analysis
Technical Summary
The jq utility contains an out-of-bounds read vulnerability due to improper argument type verification in the _strindices builtin function. Specifically, arguments are passed directly to jv_string_indexes() without ensuring they are strings. The jv_string_indexes() function relies on assert() checks that are removed in release builds compiled with -DNDEBUG, enabling attackers to cause a crash or craft inputs that lead to controlled pointer dereference and limited memory probing. This vulnerability affects jq versions from commit 69785bf7 through to before commit fdf8ef0f0, where the issue was fixed.
Potential Impact
An attacker who can supply untrusted jq filters to a release build of jq can cause the application to crash or potentially read limited memory areas by exploiting the out-of-bounds read and controlled pointer dereference. The impact includes denial of service and limited information disclosure. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability has been patched in jq at commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03. Users should upgrade jq to a version that includes this commit or later. Since jq is not a cloud service, remediation requires applying the official fix by updating the software. Patch status is confirmed by the vendor commit reference.
CVE-2026-39956: CWE-125: Out-of-bounds Read in jqlang jq
Description
A vulnerability (CVE-2026-39956) exists in jq, a command-line JSON processor, where the _strindices builtin passes arguments to jv_string_indexes() without verifying they are strings. This leads to out-of-bounds reads and potential controlled pointer dereference in release builds compiled with -DNDEBUG, allowing attackers to crash jq or perform limited memory reads. The issue affects jq versions after commit 69785bf7 up to but not including commit fdf8ef0f0, where it was patched. The vulnerability has a CVSS score of 6. 1 (medium severity).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jq utility contains an out-of-bounds read vulnerability due to improper argument type verification in the _strindices builtin function. Specifically, arguments are passed directly to jv_string_indexes() without ensuring they are strings. The jv_string_indexes() function relies on assert() checks that are removed in release builds compiled with -DNDEBUG, enabling attackers to cause a crash or craft inputs that lead to controlled pointer dereference and limited memory probing. This vulnerability affects jq versions from commit 69785bf7 through to before commit fdf8ef0f0, where the issue was fixed.
Potential Impact
An attacker who can supply untrusted jq filters to a release build of jq can cause the application to crash or potentially read limited memory areas by exploiting the out-of-bounds read and controlled pointer dereference. The impact includes denial of service and limited information disclosure. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
This vulnerability has been patched in jq at commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03. Users should upgrade jq to a version that includes this commit or later. Since jq is not a cloud service, remediation requires applying the official fix by updating the software. Patch status is confirmed by the vendor commit reference.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T22:40:33.822Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd6ed782d89c981f72b22a
Added to database: 4/13/2026, 10:31:51 PM
Last enriched: 4/13/2026, 10:46:52 PM
Last updated: 4/14/2026, 8:13:19 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.