CVE-2026-39956

MEDIUM 6.1

jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

CWE	CWE-125 CWE-476 CWE-843
Vendor	jqlang
Product	jq
Published	Apr 13, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for jqlang jq

Be the first to know when new medium vulnerabilities affecting jqlang jq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

Affected Versions

jqlang / jq

>= 69785bf77f86e2ea1b4a20ca86775916889e91c9, < fdf8ef0f0810e3d365cdd5160de43db46f57ed03

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28 github.com: https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03