CVE-2026-39979: jq: Out-of-Bounds Read in jv_parse_sized() Error Formatting for Non-NUL-Terminated Counted Buffers
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Security readout for executives and security teams
Plain-English summary
CVE-2026-39979 is a jq/libjq memory-read bug triggered during malformed JSON error handling. A vulnerable library consumer may read past the provided input buffer, causing a crash or limited memory disclosure. Business urgency is highest where applications expose libjq parsing to untrusted network input.
Executive priority
Treat as a high-priority patching and exposure-discovery item, especially for internet-facing services embedding libjq. The risk is conditional, but the published CVSS is high and remediation is available in upstream and Red Hat sources.
Technical view
Before commit 2f09060afab23fe9390cce7cb860b10416e1bf5f, libjq jv_parse_sized() accepted explicit buffer lengths but formatted malformed input with %s during error construction. Non-NUL-terminated counted buffers can cause an out-of-bounds read. The issue is CWE-125 with CVSS 3.1 score 8.2, affecting jq before the fixing commit.
Likely exposure
Exposure is most likely in applications embedding libjq and calling jv_parse_sized() on untrusted JSON. The bundle does not prove every jq command-line use is exploitable. Red Hat advisories indicate packaged remediation exists, but product-level applicability should be verified per environment.
Exploitation context
The source bundle does not cite active exploitation, and KEV is false. Exploitation depends on a consumer passing malformed, non-NUL-terminated untrusted input to jv_parse_sized(). Impact may be process termination or limited adjacent memory disclosure, depending on memory layout.
Researcher notes
Key condition is malformed JSON in a non-NUL-terminated counted buffer passed to jv_parse_sized(). Focus review on libjq API consumers, not only direct jq CLI invocations. Avoid assuming exploitability without confirming buffer ownership, termination, and input trust boundaries.
Mitigation direction
Upgrade jq/libjq to a build containing commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Apply relevant Red Hat errata for systems using Red Hat-packaged jq or libjq.
Inventory applications that embed libjq and parse untrusted JSON.
Prioritize externally reachable services using jv_parse_sized() on attacker-controlled input.
If no vendor package is available, check vendor guidance before choosing local backports.
Validation and detection
Check installed jq/libjq versions and package advisories against CVE-2026-39979.
Confirm whether applications call jv_parse_sized() with untrusted counted buffers.
Review SBOMs and dependency manifests for bundled or statically linked libjq.
Validate patched builds include commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Confirm relevant Red Hat errata are applied where applicable.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-125 · source CWE mapping
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.