CVE-2026-39979: jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers

Published Apr 13, 2026
·
Updated

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

Affected Software

4 affected componentsFixes available
github/stedolan/jq<2f09060afab23fe9390cce7cb860b10416e1bf5f
Microsoft azl3 jq 1.7.1-4
Patch available
jqlang jq<2026-04-12
Microsoft cbl2 jq 1.6-5
Patch available

Remediation

Patch Available

https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f

Event History

Apr 13, 2026
CVE Published
via MITRE·10:18 PM
Data Sourced
via MITRE·10:18 PM
DescriptionWeakness
Data Sourced
via Red Hat·11:01 PM
DescriptionSeverityAffected Software
Data Sourced
via NVD·11:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 17, 2026
Data Sourced
via Microsoft·08:01 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:01 AM
DescriptionSeverity
Updated
via Microsoft·08:01 AM
Affected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-39979?

CVE-2026-39979 has a medium severity rating due to its potential to cause out-of-bounds reads.

2

How do I fix CVE-2026-39979?

To fix CVE-2026-39979, update jq to a version newer than 2f09060afab23fe9390cce7cb860b10416e1bf5f.

3

What software is affected by CVE-2026-39979?

CVE-2026-39979 affects versions of jq prior to 2f09060afab23fe9390cce7cb860b10416e1bf5f.

4

What is the nature of the vulnerability in CVE-2026-39979?

CVE-2026-39979 involves an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers.

5

Is there a known exploit for CVE-2026-39979?

As of now, there are no publicly disclosed exploits specifically targeting CVE-2026-39979.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203