CVE-2026-39979 | THREATINT

Description

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

PUBLISHED Reserved 2026-04-08 | Published 2026-04-13 | Updated 2026-04-14 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-125: Out-of-bounds Read

Product status

< 2f09060afab23fe9390cce7cb860b10416e1bf5f

affected

References

github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p exploit

github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p

github.com/...ommit/2f09060afab23fe9390cce7cb860b10416e1bf5f

cve.org (CVE-2026-39979)

nvd.nist.gov (CVE-2026-39979)

Download JSON