Main Vulnerability Database Vulnerabilities #VU130919

Improper Neutralization of Null Byte or NUL Character in jq - CVE-2026-43895

Published: May 11, 2026

Vulnerability identifier: #VU130919

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2026-43895

CWE-ID: CWE-158

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vulnerable software:
jq

Software vendor:
stedolan (Stephen Dolan)

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to improper neutralization of null byte or NUL character in src/linker.c. A local user can cause the target application to load a different module or JSON data file than the one approved by the policy layer.

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

External links

https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr

Improper Neutralization of Null Byte or NUL Character in jq - CVE-2026-43895

Description

Remediation

External links

Please verify you're human