CVE-2026-41256 Overview
CVE-2026-41256 affects jq, a widely used command-line JSON processor. The vulnerability exists in version 1.8.1 and earlier, including current upstream HEAD. Top-level jq programs loaded from a file with the -f flag are truncated at the first embedded NUL byte during compilation. A crafted filter file containing a benign prefix followed by \\x00 and a malicious suffix compiles and executes only the prefix before the NUL. This creates a prefix and full-buffer mismatch on the compilation path, even though the JSON parser path was previously fixed under CVE-2026-33948. The flaw is classified as improper handling of NUL bytes [CWE-158].
Critical Impact
An attacker who controls a jq filter file can hide malicious filter content past a NUL byte, bypassing integrity checks performed on the full file buffer while jq executes only the truncated prefix.
Affected Products
- jqlang jq version 1.8.1
- jqlang jq versions prior to 1.8.1
- jqlang jq current upstream HEAD compilation path
Discovery Timeline
- 2026-05-11 - CVE-2026-41256 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41256
Vulnerability Analysis
The vulnerability stems from inconsistent string handling between the full-buffer integrity surface and the compilation path. When jq loads a filter program from a file using the -f option, the compilation routine treats the buffer as a C-style NUL-terminated string. Content after the first \\x00 byte is discarded silently during parsing and compilation.
Other code paths, such as file integrity checks or auditing tools, may operate on the full byte buffer. This asymmetry produces a prefix and full-buffer mismatch. A reviewer or scanner inspecting the entire file sees the complete content, while jq only executes the prefix.
The related CVE-2026-33948 addressed similar NUL truncation behavior in the JSON parser path. The compilation path was not patched at the same time, leaving this gap exposed.
Root Cause
The root cause is the use of NUL-terminated string semantics in the jq program compilation routine while upstream checks operate on length-delimited buffers. The compiler stops reading at \\x00, but the surrounding tooling does not. This mismatch is the classic pattern described by [CWE-158: Improper Neutralization of Null Byte or NUL Character].
Attack Vector
Exploitation requires local access and user interaction. An attacker crafts a filter file such as .\\x00<malicious_suffix> and convinces a user or automated pipeline to invoke jq -f against it. Review processes that inspect the entire file may approve content the jq compiler never executes, or conversely fail to detect that malicious filter content stored after the NUL is silently dropped. The integrity impact is high while confidentiality and availability are not directly affected, per the published CVSS vector.
Verified exploit code is not currently public, and no entries appear on Exploit-DB or in the CISA Known Exploited Vulnerabilities catalog. See the GitHub Security Advisory GHSA-vf2h-chrj-q3fg for upstream technical details.
Detection Methods for CVE-2026-41256
Indicators of Compromise
- jq filter files (.jq or arbitrary extensions) containing one or more embedded \\x00 bytes when scanned as raw binary.
- Discrepancies between the byte length of a filter file and the length of content parsed by jq during execution.
- Audit logs showing jq -f <file> invocations against files that contain non-printable bytes.
Detection Strategies
- Scan filter file repositories for embedded NUL bytes using tools such as grep -PaL '\\x00' or equivalent binary inspection utilities.
- Compare hashes of filter files at rest against their parsed compiled forms to flag truncation mismatches.
- Inspect process telemetry for jq invocations with the -f flag and correlate against file content inspections.
Monitoring Recommendations
- Enable command-line argument logging on hosts that run jq in data processing or CI/CD pipelines.
- Add file integrity monitoring for shared filter file directories to alert on writes containing control characters.
- Track jq versions across the fleet and prioritize hosts still running 1.8.1 or earlier for upgrade.
How to Mitigate CVE-2026-41256
Immediate Actions Required
- Inventory all systems running jq and identify any version at or below 1.8.1, including builds from upstream HEAD prior to the fix.
- Audit existing .jq filter files for embedded NUL bytes and reject any file containing them.
- Restrict the ability of untrusted users to supply filter files consumed by automated jq -f pipelines.
Patch Information
Refer to the upstream jq Security Advisory GHSA-vf2h-chrj-q3fg for the fixed release and patch commit details. Upgrade to the version designated by the jqlang maintainers as containing the compilation-path fix, and rebuild any downstream packages that vendor jq source.
Workarounds
- Preprocess filter files to strip or reject NUL bytes before passing them to jq -f.
- Inline jq filters on the command line rather than loading them from files when feasible.
- Enforce strict file format validation in CI/CD systems that consume jq programs from version control.
# Reject jq filter files containing embedded NUL bytes
if grep -qaP '\\x00' "$FILTER_FILE"; then
echo "Refusing to run jq: filter file contains NUL byte" >&2
exit 1
fi
jq -f "$FILTER_FILE" < input.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
