CVE-2026-39956: jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure

Published Apr 13, 2026
·
Updated

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

Affected Software

4 affected componentsFixes available
JQ jq>69785bf77f86e2ea1b4a20ca86775916889e91c9<fdf8ef0f0810e3d365cdd5160de43db46f57ed03
Microsoft azl3 jq 1.7.1-4
Patch available
jqlang jq>=2026-04-02<2026-04-08
Microsoft cbl2 jq 1.6-5
Patch available

Remediation

Patch Available

https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03

Event History

Apr 13, 2026
CVE Published
via MITRE·10:10 PM
Data Sourced
via MITRE·10:10 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·11:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 17, 2026
Data Sourced
via Microsoft·08:02 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:02 AM
DescriptionSeverity
Updated
via Microsoft·08:02 AM
Affected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-39956?

CVE-2026-39956 is categorized as a high severity vulnerability due to its potential to cause crashes and memory disclosures.

2

How do I fix CVE-2026-39956?

To fix CVE-2026-39956, update jq to a version later than commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

3

What impact does CVE-2026-39956 have on jq?

CVE-2026-39956 can lead to application crashes and limited memory disclosure when using the _strindices builtin.

4

Which versions of jq are affected by CVE-2026-39956?

jq versions from 69785bf77f86e2ea1b4a20ca86775916889e91c9 up to but not including fdf8ef0f0810e3d365cdd5160de43db46f57ed03 are affected.

5

Is there a workaround for CVE-2026-39956?

There is no known workaround for CVE-2026-39956; the recommended action is to update to a patched version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2026-39956 - jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure - SecAlerts