cvedb.io
CVE-2026-41256
MEDIUM · CVSS 5.5
EPSS exploitation probability: 0%
Published 2026-05-11T18:16:33.983 · Last modified 2026-06-17T10:46:23.713

Summary

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

Affected products

jqlang — jq

Does this affect you?

Add your gear to cvedb and we'll alert you only when jqlang ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.