CVE-2026-39979: CWE-125: Out-of-bounds Read in jqlang jq
CVE-2026-39979 is an out-of-bounds read vulnerability in the jq command-line JSON processor. The issue occurs in the jv_parse_sized() API of libjq before commit 2f09060afab23fe9390cce7cb860b10416e1bf5f, where error handling improperly reads beyond the buffer length when processing malformed JSON in a non-NUL-terminated buffer. This can lead to memory disclosure or process termination. The vulnerability affects any libjq consumer calling jv_parse_sized() with untrusted input. A patch fixing this issue has been committed.
AI Analysis
Technical Summary
jq is a JSON processor whose jv_parse_sized() API accepts a buffer with an explicit length parameter. Prior to commit 2f09060afab23fe9390cce7cb860b10416e1bf5f, the error handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator rather than respecting the supplied length. This causes an out-of-bounds read when the buffer is not NUL-terminated and contains malformed JSON. The vulnerability can be triggered by any consumer of libjq calling jv_parse_sized() with untrusted input, potentially causing memory disclosure or process termination. The issue has been patched in the specified commit.
Potential Impact
The vulnerability allows an out-of-bounds read beyond the end of a non-NUL-terminated input buffer when malformed JSON is processed. This can lead to disclosure of memory contents or cause the process to terminate unexpectedly. The impact depends on memory layout and usage context. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
A patch fixing this vulnerability has been committed in jq at commit 2f09060afab23fe9390cce7cb860b10416e1bf5f. Users and consumers of libjq should upgrade to a version including this commit or later to remediate the issue. Patch status is not explicitly stated beyond the commit; verify with the vendor or project repository for official releases containing the fix.
CVE-2026-39979: CWE-125: Out-of-bounds Read in jqlang jq
Description
CVE-2026-39979 is an out-of-bounds read vulnerability in the jq command-line JSON processor. The issue occurs in the jv_parse_sized() API of libjq before commit 2f09060afab23fe9390cce7cb860b10416e1bf5f, where error handling improperly reads beyond the buffer length when processing malformed JSON in a non-NUL-terminated buffer. This can lead to memory disclosure or process termination. The vulnerability affects any libjq consumer calling jv_parse_sized() with untrusted input. A patch fixing this issue has been committed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
jq is a JSON processor whose jv_parse_sized() API accepts a buffer with an explicit length parameter. Prior to commit 2f09060afab23fe9390cce7cb860b10416e1bf5f, the error handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator rather than respecting the supplied length. This causes an out-of-bounds read when the buffer is not NUL-terminated and contains malformed JSON. The vulnerability can be triggered by any consumer of libjq calling jv_parse_sized() with untrusted input, potentially causing memory disclosure or process termination. The issue has been patched in the specified commit.
Potential Impact
The vulnerability allows an out-of-bounds read beyond the end of a non-NUL-terminated input buffer when malformed JSON is processed. This can lead to disclosure of memory contents or cause the process to terminate unexpectedly. The impact depends on memory layout and usage context. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
A patch fixing this vulnerability has been committed in jq at commit 2f09060afab23fe9390cce7cb860b10416e1bf5f. Users and consumers of libjq should upgrade to a version including this commit or later to remediate the issue. Patch status is not explicitly stated beyond the commit; verify with the vendor or project repository for official releases containing the fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-08T00:01:47.628Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd725c82d89c981f75a06a
Added to database: 4/13/2026, 10:46:52 PM
Last enriched: 4/13/2026, 11:02:02 PM
Last updated: 4/14/2026, 8:11:41 AM
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.