Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1512

NIXPKGS-2026-1512
published 1 month, 2 weeks ago
Permalink CVE-2026-41256
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 month, 2 weeks ago by @LeSuisse Activity log
  • Created suggestion 1 month, 2 weeks ago
  • @LeSuisse ignored
    35 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    1 month, 2 weeks ago
  • @LeSuisse accepted 1 month, 2 weeks ago
  • @LeSuisse published on GitHub 1 month, 2 weeks ago
jq: Embedded NUL truncates top-level jq programs loaded with -f

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.

Affected products

jq
  • ==<= 1.8.1

Matching in nixpkgs

pkgs.jq

Lightweight and flexible command-line JSON processor

Ignored packages (35)

pkgs.ijq

Interactive wrapper for jq

pkgs.jql

JSON Query Language CLI tool built with Rust

pkgs.jqp

TUI playground to experiment with jq

pkgs.njq

Command-line JSON processor using nix as query language

pkgs.jqfmt

Like gofmt, but for jq

pkgs.jquake

Real-time earthquake map of Japan

Package maintainers