CVE-2026-41256
jq Null Byte Truncation in Filter Files
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41256 is a vulnerability in the jq tool where top-level jq programs loaded from a file using the -f option are truncated at the first embedded NUL byte. This happens because the program's bytes are converted to a C-string during compilation, causing the compiler to ignore any content after the NUL byte.
As a result, a crafted filter file containing a NUL byte followed by arbitrary suffixes will compile and execute only the prefix before the NUL, leading to a mismatch between the intended and actual program behavior.
This issue is similar to CVE-2026-33948 but affects the top-level program compilation path instead of the JSON parser input path.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability by providing a file with a valid prefix and an invalid suffix after a NUL byte, causing jq to execute only the prefix while ignoring the rest.
This may lead to unintended program behavior and impacts data integrity, as the executed filter may not match the intended logic.
The vulnerability has a moderate severity rating with a CVSS score of 5.5.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of jq programs that load filter files using the -f option and verifying if those filter files contain embedded NUL bytes (\x00). Since the vulnerability involves truncation at the first embedded NUL byte, inspecting filter files for such bytes is key.
A practical approach is to search for jq invocations with the -f option and then examine the filter files for embedded NUL bytes.
- Use commands like `grep -rl --binary-files=text $'\x00' /path/to/filter/files` to find filter files containing NUL bytes.
- Check running processes or scripts invoking jq with the -f option, for example: `ps aux | grep 'jq -f'`.
- Manually inspect suspicious filter files with a hex editor or `xxd` to confirm the presence of embedded NUL bytes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of jq with filter files that may contain embedded NUL bytes, especially those loaded with the -f option.
Since the vulnerability is unpatched in the current upstream HEAD, consider the following actions:
- Audit and sanitize all jq filter files to ensure they do not contain embedded NUL bytes.
- Restrict or monitor usage of jq with the -f option to trusted filter files only.
- If possible, avoid using jq versions affected by this vulnerability until a patch is released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.