{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33948", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.105Z", "datePublished": "2026-04-13T23:51:04.144Z", "dateUpdated": "2026-04-14T15:53:38.340Z"}, "containers": {"cna": {"title": "jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input", "problemTypes": [{"descriptions": [{"cweId": "CWE-170", "lang": "en", "description": "CWE-170: Improper Null Termination", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9"}, {"name": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "< 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T23:51:04.144Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b."}], "source": {"advisory": "GHSA-32cx-cvvh-2wj9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:53:20.536777Z", "id": "CVE-2026-33948", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:53:38.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33948", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:53:20.536777Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:53:26.673Z"}}], "cna": {"title": "jq: Embedded-NUL Truncation in CLI JSON Input Path Causes Prefix-Only Validation of Malformed Input", "source": {"advisory": "GHSA-32cx-cvvh-2wj9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.9, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": "< 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b", "name": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-170", "description": "CWE-170: Improper Null Termination"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T23:51:04.144Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33948", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:53:38.340Z", "dateReserved": "2026-03-24T19:50:52.105Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T23:51:04.144Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b."}], "id": "CVE-2026-33948", "lastModified": "2026-04-14T00:16:06.867", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T00:16:06.867", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b"}, {"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-170"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jq: jq: Input validation bypass via embedded NUL bytes allows parser differential attacks", "id": "2458085", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458085"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-170", "details": ["A flaw was found in jq, a command-line JSON processor. This vulnerability allows a remote attacker to bypass input validation by crafting malicious JSON input containing embedded null (NUL) bytes. Due to incorrect handling of input buffer lengths, jq truncates the input at the first NUL byte, validating only the benign prefix and silently discarding any malicious data that follows. This can lead to parser differential attacks where downstream systems, relying on jq for validation, may process the full, unvalidated input, potentially leading to unexpected behavior or security compromises."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33948", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T23:51:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33948\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33948\nhttps://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b\nhttps://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9"], "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "jq", "source": "cna", "vendor": "jqlang"}, "product": "jq", "vendor": "jqlang"}], "analysis": {"en": {"generated_at": "2026-04-14T01:25:56.296145+00:00", "value": {"mitigation_remediation": ["Upgrade jq to a release that includes commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b or later.", "If an immediate upgrade is not possible, use an external JSON validator or sanitization step before passing data to jq or downstream consumers to ensure no hidden data follows a NUL byte.", "Verify that downstream services do not process raw input after jq and adjust input handling to reject data containing NUL bytes."], "summary": {"action": "Immediate Patch", "impact": "Input validation bypass enabling malicious data to slip past jq while still being processed by downstream consumers"}, "threat_synthesis": {"affected_systems": "The affected vendor is jqlang and the product is jq. All jq releases before commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b are vulnerable. No specific product version numbers are provided; any pre\u2011commit revision of jq is at risk.", "description_and_impact": "jq, a command\u2011line JSON processor, previously used strlen() instead of the actual byte count from fgets() when reading JSON from files or standard input. This caused the program to truncate data at the first NUL byte and parse only the preceding prefix. An attacker can therefore craft input that begins with a benign JSON string, inserts a NUL byte, and appends malicious trailing data. The truncated portion is silently discarded, so jq accepts the input as valid JSON, but downstream consumers that read the full data will still process the malicious suffix. This vulnerability permits a parser differential attack that can bypass validation logic but still exploit downstream services.", "risk_and_exploitability": "The CVSS score for this issue is 2.9, indicating low severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying it is not actively exploited at large scale. The likely attack vector is local: any user who can execute jq with crafted input can trigger the vulnerability. Because the flaw requires only a malicious JSON payload passed to jq, exploitation is straightforward for an attacker who can influence input to jq, such as in scripts, CI pipelines, or user\u2011supplied files."}}}}, "created": "2026-04-14T16:16:56.821445+00:00", "updated": "2026-04-14T16:32:02.336126+00:00", "vendors": ["jqlang", "jqlang$PRODUCT$jq"]}