Vulnerability Description
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jqlang | Jq | < 2026-04-12 |
Related Weaknesses (CWE)
References
- https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5fPatch
- https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355pExploitVendor Advisory
- https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355pExploitVendor Advisory
FAQ
What is CVE-2026-39979?
CVE-2026-39979 is a vulnerability with a CVSS score of 6.5 (MEDIUM). jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its e...
How severe is CVE-2026-39979?
CVE-2026-39979 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-39979?
Check the references section above for vendor advisories and patch information. Affected products include: Jqlang Jq.