Copyright © 2012 Red Hat, Inc. All rights reserved.
Moderate
2026-05-11T17:18:30
jq: embedded NUL truncates top-level jq programs loaded with -f
5.5
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-158
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
A flaw was found in jq, a command line JSON processor. Top-level jq programs loaded from a file using the `-f` flag are truncated at the first embedded NUL byte. This issue allows an attacker who can supply a crafted filter file to prematurely truncate the program, potentially bypassing filtering logic and modifying the integrity of the processed data.
To exploit this flaw, an attacker needs to supply a crafted filter file containing an embedded NUL byte to be loaded by jq using the `-f` flag. This allows the attacker to prematurely truncate the program, potentially bypassing intended filtering logic and modifying the integrity of the processed data. Due to these reasons, this issue has been rated with a moderate severity.
Do not process untrusted filter files using the -f flag with the jq command line JSON processor.
Red Hat Ansible Automation Platform 2
Fix deferred
ansible-automation-platform-26/controller-rhel9
Red Hat Ansible Automation Platform 2
Fix deferred
ansible-automation-platform-26/hub-rhel9
Red Hat Ansible Automation Platform 2
Fix deferred
automation-controller
Red Hat Ceph Storage 4
Fix deferred
jq
Red Hat Enterprise Linux 10
Fix deferred
jq
Red Hat Enterprise Linux 8
Fix deferred
jq
Red Hat Enterprise Linux 9
Fix deferred
jq
Red Hat Hardened Images
Affected
jq
Red Hat OpenShift Container Platform 4
Fix deferred
rhcos
https://www.cve.org/CVERecord?id=CVE-2026-41256
https://nvd.nist.gov/vuln/detail/CVE-2026-41256
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg