CVE-2026-41256

Published: Mag 11, 2026 Last Modified: Mag 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 5,5

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: unchanged

Confidentiality: none

Integrity: high

Availability: none

Description

AI Translation Available

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

158

Improper Neutralization of Null Byte or NUL Character

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity

Potential Impacts:

Unexpected State

Applicable Platforms

Languages: C, C++, Not Language-Specific

View CWE Details

https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-…

https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

CVE-2026-41256

Description

Improper Neutralization of Null Byte or NUL Character

Common Consequences

Applicable Platforms

Iscriviti alla newsletter