CVE-2026-33948

Source
https://cve.org/CVERecord?id=CVE-2026-33948
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33948.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33948
Aliases
  • GHSA-32cx-cvvh-2wj9
Downstream
Related
Published
2026-04-13T23:51:04.144Z
Modified
2026-07-09T10:14:49.023965074Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input
Details

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33948.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-170",
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/jqlang/jq

Affected ranges

Type
GIT
Repo
https://github.com/jqlang/jq
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

1.*
1.6rc2
jq-1.*
jq-1.0
jq-1.1
jq-1.2
jq-1.3
jq-1.4
jq-1.5rc1
jq-1.5rc2
jq-1.6
jq-1.6rc1
jq-1.7
jq-1.7.1
jq-1.7rc1
jq-1.7rc2
jq-1.8.0
jq-1.8.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33948.json"