{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39956", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-13T22:10:18.817Z", "dateUpdated": "2026-04-14T16:28:19.908Z"}, "containers": {"cna": {"title": "jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-843", "lang": "en", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28"}, {"name": "https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": ">= 69785bf77f86e2ea1b4a20ca86775916889e91c9, < fdf8ef0f0810e3d365cdd5160de43db46f57ed03", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T22:10:18.817Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03."}], "source": {"advisory": "GHSA-6gc3-3g9p-xx28", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:34:20.696741Z", "id": "CVE-2026-39956", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:28:19.908Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39956", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:34:20.696741Z"}}}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:34:38.645Z"}}], "cna": {"title": "jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure", "source": {"advisory": "GHSA-6gc3-3g9p-xx28", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": ">= 69785bf77f86e2ea1b4a20ca86775916889e91c9, < fdf8ef0f0810e3d365cdd5160de43db46f57ed03"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03", "name": "https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T22:10:18.817Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39956", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:28:19.908Z", "dateReserved": "2026-04-07T22:40:33.822Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T22:10:18.817Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03."}], "id": "CVE-2026-39956", "lastModified": "2026-04-14T17:16:52.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T23:16:27.653", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03"}, {"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-843"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure", "id": "2458076", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458076"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "CWE-1287", "details": ["A flaw was found in jq, a command line JSON processor. In release builds, the `_strindices` builtin function calls the `jv_string_indexes` function without checking that the arguments are actually strings. This missing validation allows an attacker who can supply non-string inputs to cause an application crash and a limited memory read."], "mitigation": {"lang": "en:us", "value": "Do not use untrusted input as an argument to a jq builtin, specifically `_strindices`."}, "name": "CVE-2026-39956", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/controller-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "ansible-automation-platform-26/hub-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Fix deferred", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T22:10:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-39956\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-39956\nhttps://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03\nhttps://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28"], "statement": "To exploit this flaw, a user needs to process JSON input with an attacker-supplied argument to the `_strindices` builtin. This allows the attacker to cause an application crash and a limited memory read with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[69785bf77f86e2ea1b4a20ca86775916889e91c9,fdf8ef0f0810e3d365cdd5160de43db46f57ed03)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "jq", "source": "cna", "vendor": "jqlang"}, "product": "jq", "vendor": "jqlang"}], "analysis": {"en": {"generated_at": "2026-04-15T02:22:35.145167+00:00", "value": {"mitigation_remediation": ["Update jq to a version containing commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03 or later", "If an immediate upgrade is not possible, restrict the execution of jq to trusted input only or run it in a sandboxed environment", "Consider using stricter input validation around JSON filters before passing them to jq"], "summary": {"action": "Patch immediately", "impact": "Memory disclosure and denial of service due to improper type checks in _strindices"}, "threat_synthesis": {"affected_systems": "The affected product is jq, a command\u2011line JSON processor maintained by the jqlang community. All jq releases built after commit 69785bf77f86e2ea1b4a20ca86775916889e91c9, up to the patched commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03, are vulnerable. Specific version ranges are not enumerated but any distribution package containing jq built from source before the patch is susceptible.", "description_and_impact": "The vulnerability arises from the _strindices builtin passing arguments directly to a string indexer without validating that the input is actually a string. In a release build, missing assertions allow the function to dereference a pointer derived from an arbitrary numeric value. This results in a program crash, and by crafting a numeric payload that maps to a chosen IEEE\u2011754 bit pattern, an attacker can read small amounts of memory around that pointer. The effect is a denial\u2011of\u2011service condition and limited memory disclosure. The weakness maps to dereference of null or invalid pointers and misuse of type casting.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates a moderate severity. The EPSS score is 0.00012, indicating a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local: a user who can supply or influence a jq filter can trigger the crash or trigger the memory read primitive. In contexts where jq processes untrusted input in a server or privileged environment, the danger escalates to a remote denial\u2011of\u2011service. The exploitation requires only the presence of a vulnerable jq binary and crafted input, making it relatively easy to perform once the target is known."}}}}, "created": "2026-04-14T16:17:02.055604+00:00", "updated": "2026-04-15T15:45:07.529797+00:00", "vendors": ["jqlang", "jqlang$PRODUCT$jq"]}