CVE-2026-39979EXPLOITEDPATCHED

jqlang · jq

jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

Description

libjq exposes jv_parse_sized(const char *string, int length) as a counted-buffer JSON parsing API, but its parse-error path later treats the same buffer as a NUL-terminated C string. If a caller passes malformed JSON in a non-NUL-terminated buffer, the error construction logic can read past the caller-supplied length, causing an out-of-bounds read. The vulnerable path is: jv_parse_sized() -> jv_parse_sized_custom_flags() -> jv_parser_set_buf(&parser, string, length, 0) -> parse failure -> jv_string_fmt("%s (while parsing '%s')", ..., string) Relevant code: src/jv.h (line 245) src/jv_parse.c (line 865) src/jv_parse.c (line 896) src/jv.c (line 1528). The parser correctly accepts a (pointer, length) pair, but when building the error message it formats string with %s, which causes vsnprintf() to continue reading memory until a \0 is found. This makes the error path ignore the explicit buffer length and turns a

Affected Products

Vendor	Product	Versions
jqlang	jq	< 2f09060afab23fe9390cce7cb860b10416e1bf5f

References

https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p(x_refsource_CONFIRM)
https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f(x_refsource_MISC)

Related News (5 articles)

Tier B

CERT-FR2d ago

Multiples vulnérabilités dans le noyau Linux de Red Hat (26 juin 2026)

→ No new info (linked only)

Tier B

CERT-FR9d ago

Multiples vulnérabilités dans le noyau Linux de Red Hat (19 juin 2026)

→ No new info (linked only)

Tier A

Microsoft MSRC71d ago

CVE-2026-39979 jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

→ No new info (linked only)

Tier C

oss-security73d ago

7 vulnerabilities disclosed & patched in jq

→ No new info (linked only)

Tier C

VulDB74d ago

CVE-2026-39979 | jqlang jq jv_parse_sized length out-of-bounds (GHSA-2hhh-px8h-355p)

→ No new info (linked only)

CVSS 3.18.2 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

e47e56d226519635768e6aab2f38f0ab037c09e5

CWECWE-125, CWE-190, CWE-122

PublishedApr 13, 2026

Last enriched73d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-49839EXP

jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow

Trending: 57

NONECVE-2026-47770

jq: stack overflow in deep structural equality

Trending: 13

NONECVE-2026-54679

jq: potential integer overflow in jvp_string_append

Trending: 13

HIGHCVE-2026-44777

jq: stack overflow in module loading on mutual `include`

Trending: 3

MEDIUMCVE-2026-43894

jq: Wild stack write via signed-integer overflow in decNumber D2U() macro

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 13, 2026

Discovered by ZDM

Apr 13, 2026

Updated: severity, activelyExploited

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Patch Available

Apr 14, 2026

Updated: description, severity, cvssEstimate, cweIds, patchAvailable, tags

Apr 15, 2026

Version History

Last enriched 73d ago

v3Tier C73d ago

Updated description with more technical detail, changed severity to HIGH, updated CVSS estimate to 8.2, added new CWE IDs, and provided the patch version.

descriptionseveritycvssEstimatecweIdspatchAvailabletags

via oss-security

v2Tier C74d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v175d ago

Initial creation