{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39979", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-13T22:18:56.252Z", "dateUpdated": "2026-04-14T13:43:15.227Z"}, "containers": {"cna": {"title": "jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"}, {"name": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "< 2f09060afab23fe9390cce7cb860b10416e1bf5f", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T22:18:56.252Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f."}], "source": {"advisory": "GHSA-2hhh-px8h-355p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:43:11.607182Z", "id": "CVE-2026-39979", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:43:15.227Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39979", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:43:11.607182Z"}}}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:43:05.927Z"}}], "cna": {"title": "jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers", "source": {"advisory": "GHSA-2hhh-px8h-355p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": "< 2f09060afab23fe9390cce7cb860b10416e1bf5f"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f", "name": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T22:18:56.252Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39979", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:43:15.227Z", "dateReserved": "2026-04-08T00:01:47.628Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T22:18:56.252Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*", "matchCriteriaId": "3004A3C4-AF30-42C3-B872-F9EA2CA5FDAB", "versionEndExcluding": "2026-04-12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f."}], "id": "CVE-2026-39979", "lastModified": "2026-04-23T16:50:39.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T23:16:27.823", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers", "id": "2458077", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458077"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the `jv_parse_sized` function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the error message generated by the parser."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, manually ensure that every buffer is NUL-terminated before passing it to the `jv_parse_sized` function."}, "name": "CVE-2026-39979", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T22:18:56Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39979\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39979\nhttps://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f\nhttps://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"], "statement": "To exploit this flaw, an attacker needs to supply malformed JSON from a non-NUL-terminated buffer to an application using the `jv_parse_sized` function. This allows the attacker to trigger the out-of-bounds read, causing an application crash and potentially disclosing memory with no other security impact. As this issue affects the libjq library, it is more likely to be exposed to untrusted input. Due to these reasons, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,2f09060afab23fe9390cce7cb860b10416e1bf5f)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "jq", "source": "cna", "vendor": "jqlang"}, "product": "jq", "vendor": "jqlang"}], "analysis": {"en": {"generated_at": "2026-04-13T23:50:40.486763+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of jq that includes commit\u202f2f09060afab23fe9390cce7cb860b10416e1bf5f or later.", "If an upgrade is not immediately possible, avoid feeding untrusted JSON to the library or ensure that buffers are properly NUL\u2011terminated before parsing.", "Monitor applications for unexpected crashes or anomalous memory reads and review logs for potential exploitation attempts.", "Check the jq project\u2019s release notes for the latest security patches and apply them as soon as possible."], "summary": {"action": "Apply patch", "impact": "Memory disclosure or crash"}, "threat_synthesis": {"affected_systems": "Any installation of jq that includes libjq code prior to commit\u202f2f09060afab23fe9390cce7cb860b10416e1bf5f is affected. This encompasses all versions of the command\u2011line tool and any program that links against the older libjq library and calls jv_parse_sized() with external input. The patch removes the vulnerable string formatting and correctly respects the buffer length, restoring safe error construction.", "description_and_impact": "The issue originates from an out\u2011of\u2011bounds read that occurs in the error\u2011handling path of the jv_parse_sized() API when it formats a counted buffer with the %s specifier, ignoring the supplied length. Because the format expects a NUL\u2011terminated string, reading past the buffer boundary can expose arbitrary memory contents or cause an application termination. This flaw is identified as a classic out\u2011of\u2011bounds read (CWE\u2011125) and would only be triggered when malformed JSON that lacks a NUL terminator is processed.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. Based on the description, the vulnerability can be reached by any program or service that supplies untrusted JSON to the library. Thus the attack vector is effectively any context where external data is parsed\u2014such as command line usage, web servers, or embedded scripts. Exploitation would require an attacker to craft malformed, non\u2011NUL\u2011terminated JSON; this yields either a memory disclosure or a crash. The absence of an EPSS score and lack of listing in CISA\u2019s KEV catalog suggests no known widespread exploitation, but the issue remains reachable and potentially damaging."}}}}, "created": "2026-04-14T16:17:00.900698+00:00", "updated": "2026-04-14T16:32:52.308192+00:00", "vendors": ["jqlang", "jqlang$PRODUCT$jq"]}