jq CVE-2026-39956: Critical Memory Corruption Bug in JSON Processor Exposes Untrusted Filter Deployments

A critical vulnerability in the ubiquitous `jq` command-line JSON processor allows attackers to crash the tool and potentially probe memory, exposing any system that evaluates untrusted jq filters. The flaw, designated CVE-2026-39956, stems from a missing type check in the `_strindices` builtin function. In release builds compiled with the standard `-DNDEBUG` flag, internal `assert()` checks are stripped out, leaving the function to pass non-string arguments directly to a lower-level routine. This enables trivial denial-of-service attacks and, by crafting specific numeric inputs, a limited memory read primitive.

The vulnerability is rooted in commits after `69785bf77f86e2ea1b4a20ca86775916889e91c9` within the jq source code. The `_strindices` function in `src/builtin.c` fails to validate that its arguments are strings before passing them to `jv_string_indexes()` in `src/jv.c`. The latter function relies solely on `assert()` statements for this validation, which are removed in production builds. An attacker can exploit this by providing input like `_strindices(0)` to cause a crash, or by using a carefully crafted numeric value whose IEEE-754 bit pattern can be manipulated to trigger a controlled pointer dereference.

The impact is severe for any deployment where jq is used to process filters from untrusted sources, a common pattern in data pipelines, web applications, and DevOps tooling. The vulnerability has been assigned a CVSS score of 6.1 (Medium) and is linked to CWEs for out-of-bounds read (CWE-125), NULL pointer dereference (CWE-476), and type confusion (CWE-843). A patch has been released in commit `fdf8ef0f0810e3d365cdd5160de43db46f57ed03`, and administrators are urged to update immediately to mitigate the risk of service disruption and potential information leakage.