Description
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via excessive CPU usage caused by hash collision exploitation
Action: Immediate Patch
AI Analysis

Impact

jq is a command‑line JSON processor that, in older releases, used a hard‑coded MurmurHash3 seed for all hash table operations. An attacker can craft a JSON object that forces all keys to hash to the same bucket, turning each hash lookup from O(1) to O(n) and any jq expression into an O(n²) operation. The resulting CPU exhaustion constitutes a denial of service and represents a resource exhaustion weakness (CWE‑407), the use of a hard‑coded cryptographic component (CWE‑328), and a weak key seed (CWE‑341).

Affected Systems

The vulnerability applies to jq releases from the jqlang project that precede commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. Systems that use jq in CI/CD pipelines, web services, or data‑processing scripts without this patch are affected.

Risk and Exploitability

The CVSS score of 7.5 signals high severity, and the EPSS score is very low (0.00036), yet the exploit is trivial to deploy by supplying a 100 KB crafted JSON file. There is no CISA KEV listing yet. Once jq processes the malicious input, the DoS impact is immediate and can affect any machine that runs jq, making the risk substantial for environments that have not applied the patch.

Generated by OpenCVE AI on April 15, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 or upgrade to a version of jq that removes the hard‑coded seed
  • If a patch cannot be applied immediately, restrict jq execution time and CPU usage with OS controls (e.g., cgroups or rate limiting)
  • Audit system and CI/CD configuration to confirm use of patched jq binaries and replace any older installations

Generated by OpenCVE AI on April 15, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8202-2 jq vulnerabilities
History

Wed, 15 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-341
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 14 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Tue, 14 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Title jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed
Weaknesses CWE-328
CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T19:27:38.916Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40164

cve-icon Vulnrichment

Updated: 2026-04-14T19:23:14.106Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T00:16:07.360

Modified: 2026-04-28T21:15:56.987

Link: CVE-2026-40164

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-13T23:40:12Z

Links: CVE-2026-40164 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:45:07Z

Weaknesses