CVE-2026-33948
lowCVSS v3 Base Score
3.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
EPSS Score
0.1%
Exploitation probability in 30 days
Top 67% most likely to be exploited
Attack Characteristics
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Confidentiality
None
Integrity
Low
Availability
None
Published: April 13, 2026 (87 days ago)
Last Modified: April 13, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in jq, a command-line JSON processor. This vulnerability allows a remote attacker to bypass input validation by crafting malicious JSON input containing embedded null (NUL) bytes. Due to incorrect handling of input buffer lengths, jq truncates the input at the first NUL byte, validating only the benign prefix and silently discarding any malicious data that follows. This can lead to parser differential attacks where downstream systems, relying on jq for validation, may process the full, unvalidated input, potentially leading to unexpected behavior or security compromises.
CWE
CWE-170Affected Products
Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat OpenShift Container Platform 4Red Hat Hardened Images