Description
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
Published: 2026-05-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A recursion limit is not enforced in jv_contains, causing the C stack to overflow when jq processes deeply nested arrays or objects. The result is a crash of the jq process, which can be exploited for denial of service. The weakness is a classic example of unchecked recursion (CWE-674).

Affected Systems

The vulnerability affects the jq command‑line JSON processor distributed by jqlang. Versions 1.8.1 and earlier are susceptible; later releases are presumed fixed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Based on the nature of jq as a command‑line tool, it is inferred that the most likely exploitation scenario involves an attacker delivering a deeply nested JSON file that is processed by jq, such as through an automated build pipeline or a user‑supplied script. This inference is not explicitly stated in the CVE description.

Generated by OpenCVE AI on May 11, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jq to a version newer than 1.8.1, which implements a recursion depth limit in jv_contains.
  • Guard against deeply nested JSON by restricting input depth or pre‑sanitizing JSON before feeding it to jq.
  • Monitor processing logs or system metrics for indications of stack overflow incidents to detect potential exploitation attempts.

Generated by OpenCVE AI on May 11, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
Title jq: Stack overflow via unbounded recursion in jv_contains
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:23:27.762Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40612

cve-icon Vulnrichment

Updated: 2026-05-11T18:23:15.524Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:33.670

Modified: 2026-05-11T19:16:22.567

Link: CVE-2026-40612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:00:15Z

Weaknesses