CVE & CISA-KEV Catalog

CVE-2026-33948

LOW
5.3
CVSS v3
NVD

Description

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.

How to fix

Remediation Available
jqDebian
Fixed in:1.6-2.1+deb11u2CVE-2026-33948
Fixed in:1.7.1-6+deb13u2CVE-2026-33948
Fixed in:1.8.1-5CVE-2026-33948
jqRocky
Fixed in:main@aarch64RHSA-2026:8579
Fixed in:main@x86_64RHSA-2026:8579
Fixed in:main@srcRHSA-2026:8579
jqRed Hat / RHEL
Fixed in:main@aarch64RHSA-2026:8579
Fixed in:main@srcRHSA-2026:8579
Fixed in:main@x86_64RHSA-2026:8579
jqUbuntu
Fixed in:1.3-1.1ubuntu1.1+esm4USN-8202-1
Fixed in:1.5+dfsg-1ubuntu0.1+esm4USN-8202-1
Fixed in:1.5+dfsg-2ubuntu0.1~esm2USN-8202-1
Fixed in:1.6-1ubuntu0.20.04.1+esm2USN-8202-1
Fixed in:1.6-2.1ubuntu3.2USN-8202-1
Fixed in:1.7.1-3ubuntu0.24.04.2USN-8202-1
Fixed in:1.8.1-3ubuntu1.1USN-8202-1
libjq-devUbuntu
Fixed in:1.5+dfsg-2ubuntu0.1~esm2USN-8202-1
Fixed in:1.6-1ubuntu0.20.04.1+esm2USN-8202-1
Fixed in:1.6-2.1ubuntu3.2USN-8202-1
Fixed in:1.7.1-3ubuntu0.24.04.2USN-8202-1
Fixed in:1.8.1-3ubuntu1.1USN-8202-1
libjq1Ubuntu
Fixed in:1.5+dfsg-2ubuntu0.1~esm2USN-8202-1
Fixed in:1.6-1ubuntu0.20.04.1+esm2USN-8202-1
Fixed in:1.6-2.1ubuntu3.2USN-8202-1
Fixed in:1.7.1-3ubuntu0.24.04.2USN-8202-1
Fixed in:1.8.1-3ubuntu1.1USN-8202-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityNone
IntegrityLow
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploit Intelligence

0.26%probability of exploitation in 30 days
17thpercentile

Low risk: more likely to be exploited than 17% of all known CVEs.

References

Exploit1
Embed a live status badge for CVE-2026-33948
CVE-2026-33948 severity badge

Markdown

[![CVE-2026-33948](https://tridentstack.com/cve/badge/CVE-2026-33948.svg)](https://tridentstack.com/cve/CVE-2026-33948)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-33948"><img src="https://tridentstack.com/cve/badge/CVE-2026-33948.svg" alt="CVE-2026-33948"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-04-21.