NUL Byte Truncation Issue in jq Command-Line JSON Processor by JQLang
CVE-2026-41256

5.5MEDIUM

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-41256?

The jq command-line JSON processor, versions 1.8.1 and earlier, is susceptible to a NUL byte truncation vulnerability when loading top-level programs from a file using the -f option. This vulnerability allows a specially crafted filter file to compile and execute a prefix before the NUL byte, leading to unexpected behavior and potential execution of arbitrary code. This occurs due to a mismatch in the compilation process, despite improvements in the JSON parser path. Users are advised to update to a secure version to mitigate risks associated with this issue.

Affected Version(s)

jq <= 1.8.1

References

https://github.com/jqlang/jq/security/advisories/GHSA-vf2...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41256 Data

JSON

Jqlang

What is CVE-2026-41256?

Affected Version(s)

References

CVSS V3.1

Timeline