Main Vulnerability Database Vulnerabilities #VU127878

Improper Neutralization of Null Byte or NUL Character in jq - CVE-2026-41256

Published: April 25, 2026

Vulnerability identifier: #VU127878

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41256

CWE-ID: CWE-158

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: stedolan (Stephen Dolan)

Affected software:
jq

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass intended jq program integrity checks.

The vulnerability exists due to improper neutralization of null byte or NUL character in the top-level jq program compilation path when loading a jq program from a file with -f. A remote attacker can supply a crafted filter file containing an embedded NUL byte to bypass intended jq program integrity checks.

User interaction is required to run jq with the crafted filter file.

How to mitigate CVE-2026-41256

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Sources

https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg

Improper Neutralization of Null Byte or NUL Character in jq - CVE-2026-41256

Detailed vulnerability description

How to mitigate CVE-2026-41256

Sources

Please verify you're human