{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-13T22:10:18Z",
  "bugzilla" : {
    "description" : "jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure",
    "id" : "2458076",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458076"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1287",
  "details" : [ "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.", "A flaw was found in jq, a command line JSON processor. In release builds, the `_strindices` builtin function calls the `jv_string_indexes` function without checking that the arguments are actually strings. This missing validation allows an attacker who can supply non-string inputs to cause an application crash and a limited memory read." ],
  "statement" : "To exploit this flaw, a user needs to process JSON input with an attacker-supplied argument to the `_strindices` builtin. This allows the attacker to cause an application crash and a limited memory read with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8579",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "jq-main-1.8.1-3.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/controller-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "ansible-automation-platform-26/hub-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "automation-controller",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 4",
    "fix_state" : "Fix deferred",
    "package_name" : "jq",
    "cpe" : "cpe:/a:redhat:ceph_storage:4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "jq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "jq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "jq",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-39956\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39956\nhttps://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03\nhttps://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28" ],
  "name" : "CVE-2026-39956",
  "mitigation" : {
    "value" : "Do not use untrusted input as an argument to a jq builtin, specifically '_strindices'.",
    "lang" : "en:us"
  },
  "csaw" : false
}