Compliance Impact

This vulnerability in jq can cause sensitive fields to remain in published artifacts by bypassing local redaction policies. Since sensitive data might be unintentionally exposed due to the mismatch in import path validation and actual file loading, this could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict control over the handling and publication of sensitive information.

Specifically, attackers can manipulate jq filters to load unintended files that contain sensitive data, undermining audit and policy enforcement mechanisms designed to prevent such exposure. This risk is particularly relevant in local workflows, CI pipelines, or publishing scripts that rely on jq for data processing and validation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass local redaction policies or validation checks in workflows that use jq, such as local workflows, continuous integration (CI) pipelines, or publishing scripts.

Because jq may load unintended files due to the NUL byte truncation, sensitive fields that should have been redacted or excluded can remain in published artifacts.

This can lead to unintended disclosure of sensitive information, potentially compromising confidentiality and integrity of data processed by jq.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-43895 is a vulnerability in the jq command-line JSON processor where embedded NUL bytes in import paths cause a mismatch between the logical import string validated by policy or audit code and the actual on-disk path jq opens.

jq accepts NUL bytes in import paths at the jq-language level, but later processes these paths as C strings, which are NUL-terminated. This causes the path to be truncated at the first NUL byte during file lookup.

As a result, a filter can pass policy checks that require imports to end with certain suffixes (e.g., "_public"), while jq actually loads a different file (e.g., "rules.json" instead of "rules_public.json").

The root cause is in the source code where jq strings are converted to NUL-terminated C strings for file resolution, leading to improper input validation and neutralization of NUL bytes.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves jq accepting embedded NUL bytes in import paths, which can bypass local redaction policies. Detection would involve inspecting jq import paths for embedded NUL bytes that could cause mismatches between the logical import string and the actual file loaded.

Since the issue arises from import paths containing NUL bytes, you can detect suspicious usage by searching for jq scripts or filters that include NUL characters in import paths or by monitoring jq executions that load unexpected files.

However, no specific detection commands are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The suggested fix is to reject import paths containing embedded NUL bytes before they are converted to C strings for file resolution.

Immediate mitigation steps include:

• Update jq to a version that includes the fix rejecting NUL bytes in import paths.
• Audit and sanitize jq import paths in your scripts and CI pipelines to ensure they do not contain embedded NUL bytes.
• Review local workflows and publishing scripts that validate imports to ensure they correctly handle or reject NUL bytes.

Useful 0 Not Useful 0