CVE-2026-39956
Received Received - Intake
Use-After-Free in jq _strindices Causes Crash, Memory Leak

Publication date: 2026-04-13

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39956
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq From 2026-04-02 (inc) to 2026-04-08 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in jq, a command-line JSON processor, specifically in the _strindices builtin function. After a certain commit, _strindices passes its arguments directly to jv_string_indexes() without verifying that they are strings. The jv_string_indexes() function relies only on assert() checks, which are removed in release builds compiled with -DNDEBUG.

Because of this, an attacker can cause jq to crash by providing input like _strindices(0). Furthermore, by crafting a numeric value whose IEEE-754 bit pattern corresponds to a chosen pointer, an attacker can achieve a controlled pointer dereference and gain a limited memory read or probe capability.

Any deployment that evaluates untrusted jq filters against a release build is vulnerable to this issue. The vulnerability has been patched in a later commit.

Impact Analysis

This vulnerability can impact you by allowing an attacker to crash the jq process trivially, causing denial of service.

More seriously, an attacker can craft input to cause a controlled pointer dereference, which can lead to limited memory reading or probing. This could potentially expose sensitive information or lead to further exploitation depending on the environment.

The vulnerability requires that untrusted jq filters be evaluated on a release build, so environments that process untrusted JSON filters with jq are at risk.

Mitigation Strategies

To mitigate this vulnerability, ensure that you update jq to a version that includes the patch from commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03, which fixes the issue.

Avoid evaluating untrusted jq filters against release builds of jq that were compiled with -DNDEBUG, as these builds lack the assert() checks that prevent exploitation.

Compliance Impact

The vulnerability in jq (CVE-2026-39956) allows an attacker to cause crashes and limited memory disclosure when untrusted jq filters are evaluated on release builds. This limited memory disclosure could potentially lead to unauthorized access to sensitive data in memory.

Such unauthorized memory disclosure may impact compliance with data protection standards and regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.

Therefore, systems using vulnerable versions of jq to process untrusted input could be at risk of violating these compliance requirements due to the possibility of memory probing and data leakage.

Detection Guidance

This vulnerability can be detected by testing if the jq tool on your system crashes or behaves unexpectedly when processing certain inputs that misuse the _strindices builtin.

A simple command to test for the crash vulnerability is to run jq with the input that triggers the issue:

  • jq -n '_strindices(0)'

If jq crashes or produces an error related to type misuse, it indicates the presence of the vulnerability in the release build.

More advanced detection involves crafting numeric inputs whose IEEE-754 bit patterns map to chosen pointers to test for controlled pointer dereference or memory read primitives, but this requires specialized knowledge and tools.

To confirm if the vulnerability is patched, verify that jq returns type errors instead of crashing when given non-string inputs to _strindices, for example:

  • jq -n '_strindices(123)'

A patched version will return an error message like "number (123) cannot be searched, as it is not a string" instead of crashing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart