CVE-2026-39979
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N
Summary
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| jqlang | jq | < 2f09060afab23fe9390cce7cb860b10416e1bf5f | affected |
Weaknesses
- CWE-125: CWE-125: Out-of-bounds Read
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers
Additional References
- https://access.redhat.com/security/cve/CVE-2026-39979
- https://bugzilla.redhat.com/show_bug.cgi?id=2458077
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39979.json
- https://access.redhat.com/errata/RHSA-2026:26528
- https://access.redhat.com/errata/RHSA-2026:26542
- https://access.redhat.com/errata/RHSA-2026:28887
- https://access.redhat.com/errata/RHSA-2026:23233
- https://access.redhat.com/errata/RHSA-2026:25044
- https://access.redhat.com/errata/RHSA-2026:25181
- https://access.redhat.com/errata/RHSA-2026:23245
- https://access.redhat.com/errata/RHSA-2026:16252
- https://access.redhat.com/errata/RHSA-2026:18048
- https://access.redhat.com/errata/RHSA-2026:18047
- https://access.redhat.com/errata/RHSA-2026:18046
- https://access.redhat.com/errata/RHSA-2026:18045
- https://access.redhat.com/errata/RHSA-2026:18044
- https://access.redhat.com/errata/RHSA-2026:18040
- https://access.redhat.com/errata/RHSA-2026:16692
- https://access.redhat.com/errata/RHSA-2026:19151
- https://access.redhat.com/errata/RHSA-2026:18043
- https://access.redhat.com/errata/RHSA-2026:18042
- https://access.redhat.com/errata/RHSA-2026:16693
- https://access.redhat.com/errata/RHSA-2026:19365
- https://access.redhat.com/errata/RHSA-2026:25096
- https://access.redhat.com/errata/RHSA-2026:30078
- https://access.redhat.com/errata/RHSA-2026:30089
- https://access.redhat.com/errata/RHSA-2026:30088
- https://access.redhat.com/errata/RHSA-2026:30087
- https://access.redhat.com/errata/RHSA-2026:8579
References
- https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p
- https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.