CVE-2026-43895

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

Affected Software

VendorProductVersion RangeStatus
jqlangjq<= 1.8.1affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation
  • CWE-158: CWE-158: Improper Neutralization of Null Byte or NUL Character

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References