UBUNTU-CVE-2026-33948

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33948

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2026-33948

Upstream

CVE-2026-33948

Published

2026-04-14T00:16:00Z

Modified

2026-04-16T11:05:48.782787Z

Severity

2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.

References

Affected packages

Ubuntu:22.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6-2.1ubuntu2

1.6-2.1ubuntu3

1.6-2.1ubuntu3.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.6-2.1ubuntu3.1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.6-2.1ubuntu3.1",
            "binary_name": "libjq-dev"
        },
        {
            "binary_version": "1.6-2.1ubuntu3.1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"

Ubuntu:24.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6-3

1.7-1

1.7.1-2

1.7.1-3

1.7.1-3build1

1.7.1-3ubuntu0.24.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.7.1-3ubuntu0.24.04.1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.7.1-3ubuntu0.24.04.1",
            "binary_name": "libjq-dev"
        },
        {
            "binary_version": "1.7.1-3ubuntu0.24.04.1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"

Ubuntu:25.10

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.8.1-3ubuntu1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.7.1-3ubuntu1

1.7.1-6ubuntu1

1.8.1-3ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.8.1-3ubuntu1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.8.1-3ubuntu1",
            "binary_name": "libjq-dev"
        },
        {
            "binary_version": "1.8.1-3ubuntu1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"

Ubuntu:Pro:14.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm3?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2-8

1.3-1

1.3-1.1ubuntu1

1.3-1.1ubuntu1.1

1.3-1.1ubuntu1.1+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.3-1.1ubuntu1.1+esm3",
            "binary_name": "jq"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"

Ubuntu:Pro:16.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm3?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.4-2.1

1.5+dfsg-1

1.5+dfsg-1ubuntu0.1

1.5+dfsg-1ubuntu0.1+esm2

1.5+dfsg-1ubuntu0.1+esm3

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5+dfsg-1ubuntu0.1+esm3",
            "binary_name": "jq"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"

Ubuntu:Pro:18.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5+dfsg-2

1.5+dfsg-2ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm1",
            "binary_name": "libjq-dev"
        },
        {
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"

Ubuntu:Pro:20.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm1?arch=source&distro=esm-infra/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.5+dfsg-2build1

1.6-1

1.6-1ubuntu0.20.04.1

1.6-1ubuntu0.20.04.1+esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1.6-1ubuntu0.20.04.1+esm1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.6-1ubuntu0.20.04.1+esm1",
            "binary_name": "libjq-dev"
        },
        {
            "binary_version": "1.6-1ubuntu0.20.04.1+esm1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33948.json"