CVE-2026-39956
Use-After-Free in jq _strindices Causes Crash, Memory Leak
Publication date: 2026-04-13
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | From 2026-04-02 (inc) to 2026-04-08 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in jq, a command-line JSON processor, specifically in the _strindices builtin function. After a certain commit, _strindices passes its arguments directly to jv_string_indexes() without verifying that they are strings. The jv_string_indexes() function relies only on assert() checks, which are removed in release builds compiled with -DNDEBUG.
Because of this, an attacker can cause jq to crash by providing input like _strindices(0). Furthermore, by crafting a numeric value whose IEEE-754 bit pattern corresponds to a chosen pointer, an attacker can achieve a controlled pointer dereference and gain a limited memory read or probe capability.
Any deployment that evaluates untrusted jq filters against a release build is vulnerable to this issue. The vulnerability has been patched in a later commit.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to crash the jq process trivially, causing denial of service.
More seriously, an attacker can craft input to cause a controlled pointer dereference, which can lead to limited memory reading or probing. This could potentially expose sensitive information or lead to further exploitation depending on the environment.
The vulnerability requires that untrusted jq filters be evaluated on a release build, so environments that process untrusted JSON filters with jq are at risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that you update jq to a version that includes the patch from commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03, which fixes the issue.
Avoid evaluating untrusted jq filters against release builds of jq that were compiled with -DNDEBUG, as these builds lack the assert() checks that prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in jq (CVE-2026-39956) allows an attacker to cause crashes and limited memory disclosure when untrusted jq filters are evaluated on release builds. This limited memory disclosure could potentially lead to unauthorized access to sensitive data in memory.
Such unauthorized memory disclosure may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.
Therefore, systems using vulnerable versions of jq to process untrusted input could be at risk of violating these compliance requirements due to the possibility of memory probing and data leakage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the jq tool on your system crashes or behaves unexpectedly when processing certain inputs that misuse the _strindices builtin.
A simple command to test for the crash vulnerability is to run jq with the input that triggers the issue:
- jq -n '_strindices(0)'
If jq crashes or produces an error related to type misuse, it indicates the presence of the vulnerability in the release build.
More advanced detection involves crafting numeric inputs whose IEEE-754 bit patterns map to chosen pointers to test for controlled pointer dereference or memory read primitives, but this requires specialized knowledge and tools.
To confirm if the vulnerability is patched, verify that jq returns type errors instead of crashing when given non-string inputs to _strindices, for example:
- jq -n '_strindices(123)'
A patched version will return an error message like "number (123) cannot be searched, as it is not a string" instead of crashing.