Medium severity5.5NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-41256
CVE-2026-41256
Description
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
1- github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fgnvdExploitVendor Advisory
News mentions
0No linked articles in our index yet.