CVE-2026-41256

NameCVE-2026-41256
Descriptionjq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4599-1
Debian Bugs1136445

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jq (PTS)bullseye1.6-2.1vulnerable
bullseye (security)1.6-2.1+deb11u2fixed
bookworm1.6-2.1+deb12u1vulnerable
trixie1.7.1-6+deb13u2vulnerable
forky, sid1.8.1-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jqsourcebullseye1.6-2.1+deb11u2DLA-4599-1
jqsource(unstable)1.8.1-61136445

Notes

[trixie] - jq <no-dsa> (Minor issue)
[bookworm] - jq <no-dsa> (Minor issue)
https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg
Search for package or bug name: Reporting problems