CVE-2026-41256
Received Received - Intake
jq Null Byte Truncation in Filter Files

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-41256
EUVD
EUVD-2026-29162
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq to 1.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-158 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41256 is a vulnerability in the jq tool where top-level jq programs loaded from a file using the -f option are truncated at the first embedded NUL byte. This happens because the program's bytes are converted to a C-string during compilation, causing the compiler to ignore any content after the NUL byte.

As a result, a crafted filter file containing a NUL byte followed by arbitrary suffixes will compile and execute only the prefix before the NUL, leading to a mismatch between the intended and actual program behavior.

This issue is similar to CVE-2026-33948 but affects the top-level program compilation path instead of the JSON parser input path.

Impact Analysis

An attacker could exploit this vulnerability by providing a file with a valid prefix and an invalid suffix after a NUL byte, causing jq to execute only the prefix while ignoring the rest.

This may lead to unintended program behavior and impacts data integrity, as the executed filter may not match the intended logic.

The vulnerability has a moderate severity rating with a CVSS score of 5.5.

Detection Guidance

This vulnerability can be detected by checking for the presence of jq programs that load filter files using the -f option and verifying if those filter files contain embedded NUL bytes (\x00). Since the vulnerability involves truncation at the first embedded NUL byte, inspecting filter files for such bytes is key.

A practical approach is to search for jq invocations with the -f option and then examine the filter files for embedded NUL bytes.

  • Use commands like `grep -rl --binary-files=text $'\x00' /path/to/filter/files` to find filter files containing NUL bytes.
  • Check running processes or scripts invoking jq with the -f option, for example: `ps aux | grep 'jq -f'`.
  • Manually inspect suspicious filter files with a hex editor or `xxd` to confirm the presence of embedded NUL bytes.
Mitigation Strategies

Immediate mitigation steps include avoiding the use of jq with filter files that may contain embedded NUL bytes, especially those loaded with the -f option.

Since the vulnerability is unpatched in the current upstream HEAD, consider the following actions:

  • Audit and sanitize all jq filter files to ensure they do not contain embedded NUL bytes.
  • Restrict or monitor usage of jq with the -f option to trusted filter files only.
  • If possible, avoid using jq versions affected by this vulnerability until a patch is released.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41256. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart