CVE-2026-39979

MEDIUM EPSS 23.1%
Published Apr 13, 20262mo ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Medium
Find Similar
Published Apr 13, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
23.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-125 Out-of-bounds Read Memory Safety

Affected Products 1

VendorProductVersionRange
jqlangjq* <2026-04-12

References 2

  • github.com https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f
    Patch
  • github.com https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f
    Patch