CVE-2026-39979 Overview
CVE-2026-39979 is an out-of-bounds read vulnerability affecting jq, a widely-used command-line JSON processor. The vulnerability exists in the jv_parse_sized() API within the libjq library, where the error-handling path incorrectly formats input buffers using %s in jv_string_fmt(). This function reads until a NUL terminator is found rather than respecting the caller-supplied length parameter, resulting in out-of-bounds memory access when processing malformed JSON in non-NUL-terminated buffers.
Critical Impact
When malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic can read past the end of the buffer, potentially leading to memory disclosure or process termination.
Affected Products
- jq (libjq library) - versions prior to commit 2f09060afab23fe9390cce7cb860b10416e1bf5f
- Applications consuming the libjq library via jv_parse_sized() API
- Systems processing untrusted JSON input through jq
Discovery Timeline
- 2026-04-13 - CVE-2026-39979 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-39979
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read). The flaw resides in the error handling logic of the jv_parse_sized() function within libjq. When this API receives a counted buffer with an explicit length parameter and encounters malformed JSON, the error construction code path uses jv_string_fmt() with a %s format specifier. This format specifier reads the input buffer as a null-terminated string, ignoring the length parameter provided by the caller.
The vulnerability is reachable by any libjq consumer that calls jv_parse_sized() with untrusted input data in a non-NUL-terminated buffer. Depending on the memory layout at runtime, successful exploitation can result in information disclosure (reading sensitive data from adjacent memory) or denial of service through process crashes.
Root Cause
The root cause is improper handling of the buffer length parameter during error message construction. The jv_string_fmt() function uses the %s format specifier which expects a null-terminated string, but the jv_parse_sized() API is designed to work with counted buffers that may not be null-terminated. This mismatch between the API contract and the error handling implementation creates the out-of-bounds read condition.
Attack Vector
The vulnerability can be exploited remotely over the network by any application that processes untrusted JSON input via the libjq library. An attacker can craft malformed JSON input that triggers the error handling path in jv_parse_sized(), causing the library to read beyond the allocated buffer boundaries. The attack does not require authentication or user interaction, as it only requires the ability to supply malicious JSON data to an affected application.
// Security patch in src/jv_parse.c - Fix out-of-bounds read in jv_parse_sized()
// Source: https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f
if (!jv_is_valid(value) && jv_invalid_has_msg(jv_copy(value))) {
jv msg = jv_invalid_get_msg(value);
- value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%s')",
+ value = jv_invalid_with_msg(jv_string_fmt("%s (while parsing '%.*s')",
jv_string_value(msg),
+ length,
string));
jv_free(msg);
}
The fix changes the format specifier from %s to %.*s, which allows specifying a maximum length for the string to be printed. The length parameter is now explicitly passed to ensure the format function respects the buffer boundaries.
Detection Methods for CVE-2026-39979
Indicators of Compromise
- Unexpected process crashes in applications using libjq for JSON parsing
- Memory access violations or segmentation faults during JSON processing operations
- Abnormal memory patterns in application logs indicating out-of-bounds read attempts
Detection Strategies
- Monitor for crash dumps or core files from applications that use the jq library or libjq
- Implement AddressSanitizer (ASan) or similar memory debugging tools in development environments to catch out-of-bounds read attempts
- Review application logs for error messages containing unusually long or corrupted JSON parsing output
Monitoring Recommendations
- Deploy endpoint detection capabilities to monitor for abnormal process terminations in applications using libjq
- Implement input validation and sanitization for JSON data before passing to jv_parse_sized() API
- Enable crash reporting mechanisms to capture and analyze any jq-related process failures
How to Mitigate CVE-2026-39979
Immediate Actions Required
- Update jq to a version containing commit 2f09060afab23fe9390cce7cb860b10416e1bf5f or later
- Review applications that consume the libjq library and update dependencies accordingly
- Implement input validation to ensure JSON data is properly sanitized before processing
- Consider using null-terminated buffers as a temporary workaround until patching is complete
Patch Information
The vulnerability has been addressed in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f. The fix modifies the format specifier in jv_string_fmt() from %s to %.*s and passes the explicit length parameter to respect buffer boundaries during error message construction. Organizations should apply this patch or update to a version that includes this fix. Additional details are available in the GitHub Security Advisory GHSA-2hhh-px8h-355p.
Workarounds
- Ensure all buffers passed to jv_parse_sized() are null-terminated as a defensive measure
- Implement wrapper functions that validate and sanitize input before calling libjq parsing APIs
- Consider using alternative JSON parsing libraries that properly handle counted buffers until the patch can be applied
# Configuration example
# Update jq from source with the security patch
git clone https://github.com/jqlang/jq.git
cd jq
git checkout 2f09060afab23fe9390cce7cb860b10416e1bf5f
autoreconf -fi
./configure
make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
