CVE-2026-43895

Published: Mag 11, 2026 Last Modified: Mag 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,4
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.

20

Improper Input Validation

Stable
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality Integrity
Potential Impacts:
Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Read Memory Read Files Or Directories Modify Memory Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: AI/ML
Likelihood of Exploit: High
View CWE Details
158

Improper Neutralization of Null Byte or NUL Character

Incomplete
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Unexpected State
Applicable Platforms
Languages: C, C++, Not Language-Specific
View CWE Details
https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-…
https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr