Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1108

NIXPKGS-2026-1108
published on
Permalink CVE-2026-39956
6.1 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 5 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 13 hours ago
  • @LeSuisse ignored
    38 packages
    • ijq
    • jql
    • jqp
    • njq
    • gojq
    • jqfmt
    • jq-lsp
    • jquake
    • jq-zsh-plugin
    • python312Packages.jq
    • python313Packages.jq
    • python314Packages.jq
    • python312Packages.llm-jq
    • python313Packages.llm-jq
    • python314Packages.llm-jq
    • haskellPackages.js-jquery
    • tests.fetchpatch.relative
    • python312Packages.xstatic-jquery
    • python313Packages.xstatic-jquery
    • python314Packages.xstatic-jquery
    • python312Packages.django-jquery-js
    • python313Packages.django-jquery-js
    • python314Packages.django-jquery-js
    • python312Packages.xstatic-jquery-ui
    • python313Packages.xstatic-jquery-ui
    • python314Packages.xstatic-jquery-ui
    • tree-sitter-grammars.tree-sitter-jq
    • tests.fetchNextcloudApp.simple-sha512
    • vimPlugins.nvim-treesitter-parsers.jq
    • python312Packages.sphinxcontrib-jquery
    • python313Packages.sphinxcontrib-jquery
    • python314Packages.sphinxcontrib-jquery
    • tests.fetchFromGitHub.submodule-leave-git
    • python312Packages.xstatic-jquery-file-upload
    • python313Packages.xstatic-jquery-file-upload
    • python314Packages.xstatic-jquery-file-upload
    • python313Packages.tree-sitter-grammars.tree-sitter-jq
    • python314Packages.tree-sitter-grammars.tree-sitter-jq
    6 hours ago
  • @LeSuisse accepted 6 hours ago
  • @LeSuisse published on GitHub 5 hours ago
jq: Missing runtime type checks for _strindices lead to crash and limited memory disclosure

jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.

Affected products

jq
  • ==>= 69785bf77f86e2ea1b4a20ca86775916889e91c9, < fdf8ef0f0810e3d365cdd5160de43db46f57ed03

Matching in nixpkgs

pkgs.jq

Lightweight and flexible command-line JSON processor

Ignored packages (38)

pkgs.ijq

Interactive wrapper for jq

pkgs.jql

JSON Query Language CLI tool built with Rust

pkgs.jqp

TUI playground to experiment with jq

pkgs.jquake

Real-time earthquake map of Japan

Package maintainers