CVE-2026-33948 Overview
CVE-2026-33948 is an input validation vulnerability in jq, a popular command-line JSON processor. The vulnerability exists in commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix.
Critical Impact
Attackers can craft malicious JSON input with a benign prefix before a NUL byte followed by malicious trailing data. jq validates only the prefix while silently discarding the suffix, enabling parser differential attacks against downstream consumers that process the full input.
Affected Products
- jq (commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b)
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-33948 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-33948
Vulnerability Analysis
This vulnerability is classified as CWE-20 (Improper Input Validation). The core issue lies in how jq handles buffer length calculation when parsing JSON input from files or stdin. The vulnerable code uses strlen() to determine the valid length of the input buffer, which only counts characters up to the first NUL (0x00) byte. However, the actual data read by fgets() may contain embedded NUL bytes followed by additional data.
This discrepancy creates a parser differential vulnerability where jq's view of the input differs from what downstream consumers see. An attacker can exploit this by crafting input that appears valid to jq's validation but contains malicious payloads after an embedded NUL byte.
Root Cause
The root cause is the improper use of strlen() for buffer length calculation in src/util.c. The strlen() function is designed to find the length of a C-style null-terminated string, which stops counting at the first NUL byte encountered. When processing binary-safe input that may contain embedded NUL bytes, this approach incorrectly truncates the perceived input length, causing jq to validate only a portion of the actual data.
Attack Vector
The attack vector involves network-accessible input parsing. An attacker crafts a malicious payload consisting of:
- A valid JSON prefix that passes jq validation
- An embedded NUL byte (0x00)
- Malicious trailing data that jq ignores but downstream consumers process
Workflows that use jq to validate untrusted JSON before passing it to other systems are vulnerable. The downstream system may process the full input including the malicious suffix, while jq's validation only examined the benign prefix.
if (p != NULL)
state->current_line++;
- if (p == NULL && state->parser != NULL) {
- /*
- * There should be no NULs in JSON texts (but JSON text
- * sequences are another story).
- */
- state->buf_valid_len = strlen(state->buf);
- } else if (p == NULL && feof(state->current_input)) {
+ if (p == NULL && feof(state->current_input)) {
size_t i;
/*
Source: GitHub Commit
Detection Methods for CVE-2026-33948
Indicators of Compromise
- JSON input containing embedded NUL bytes (0x00) in unexpected positions
- Discrepancies between jq validation results and downstream parser interpretations
- Unusual byte sequences in JSON data streams where binary characters appear after valid JSON structures
Detection Strategies
- Monitor for binary data within JSON input streams, particularly NUL bytes that should not appear in valid JSON
- Implement logging that compares input sizes at validation points versus downstream processing points
- Deploy content inspection rules that flag JSON inputs containing control characters or NUL bytes
Monitoring Recommendations
- Audit systems that use jq as a JSON validation gateway before forwarding to other consumers
- Review logs for size discrepancies between received input and validated content
- Monitor for parser differential symptoms where validated content differs from processed content
How to Mitigate CVE-2026-33948
Immediate Actions Required
- Update jq to a version containing commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b or later
- Review workflows that rely on jq for JSON validation before forwarding to downstream systems
- Implement additional input validation that rejects JSON containing NUL bytes
Patch Information
The vulnerability has been patched in commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b. The fix removes the vulnerable code path that used strlen() for buffer length calculation, ensuring the parser correctly handles the actual byte count from input operations. Users should update to a version of jq that includes this commit. For more details, see the GitHub Security Advisory.
Workarounds
- Pre-filter JSON input to reject any data containing NUL bytes before passing to jq
- Implement binary-safe length checks in validation workflows that compare actual input size with jq's perceived size
- Use alternative JSON validators that handle embedded NUL bytes correctly until jq can be updated
# Pre-filter to reject input containing NUL bytes before jq validation
if grep -qP '\\x00' input.json; then
echo "Rejecting input containing NUL bytes"
exit 1
fi
jq '.' input.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
