jq JSON Processor Vulnerability (CVE-2026-39979): Out-of-Bounds Read in libjq's Error Handler

A critical vulnerability in the widely-used `jq` command-line JSON processor exposes any application using its library to potential memory disclosure or crashes. The flaw, tracked as CVE-2026-39979, resides in the `jv_parse_sized()` API within `libjq`. This function is designed to safely parse JSON from a counted buffer with a caller-supplied length. However, its error-handling path contains a dangerous mismatch: when formatting an error message for malformed JSON, it uses `%s` in `jv_string_fmt()`, which reads the input buffer until a NUL terminator is found, ignoring the explicit length parameter. This creates a classic out-of-bounds read condition.

The vulnerability is triggered when `jv_parse_sized()` is called with untrusted, non-NUL-terminated input that is malformed. The error logic then reads past the end of the allocated buffer. The impact is direct and broad: any software or service that consumes the `libjq` library and passes user-controlled data to this function is potentially at risk. Depending on the memory layout, this could lead to the disclosure of sensitive memory contents or cause the process to terminate unexpectedly.

The issue has been patched in commit `2f09060afab23fe9390cce7cb860b10416e1bf5f`. Developers and system administrators must urgently update their `jq` installations. The vulnerability underscores the persistent risk in foundational parsing libraries, where a single error in a rarely-triggered code path can compromise the security of countless downstream applications that rely on them for data processing.