Description
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
Published: 2026-05-11
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

jq, a command‑line JSON processor, can crash when a user runs a crafted program that forces jv_object_merge_recursive() to recurse without bound. The recursion is reached through the * operator applied to two objects, resulting in a stack overflow and a segmentation fault. The crash disables the jq instance, leading to a denial of service of the processing task but does not expose data or privilege escalation directly.

Affected Systems

The vulnerability affects jqlang’s jq versions 1.8.1 and earlier. No newer releases contain the flaw. Users employing these versions on any platform where jq is executed are at risk if they run untrusted jq scripts.

Risk and Exploitability

The CVSS score of 6.2 indicates medium impact and local availability of the flaw; the EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting limited or no known active exploitation. Attackers must supply and execute a malicious jq program, so the primary attack vector is local or requires exploitation of a service that runs jq on untrusted input. The risk is moderate, with a lower likelihood of exploitation until the vulnerability is documented and mitigated.

Generated by OpenCVE AI on May 11, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update jq to a patched release (1.8.2 or newer).
  • If an immediate update is not possible, isolate jq processing from untrusted data sources; use input validation or sandboxing to prevent execution of malicious scripts.
  • Consider disabling the * operator for object operands in environments where jq scripts are executed by untrusted users, reducing the attack surface.

Generated by OpenCVE AI on May 11, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
Title jq: Stack Overflow in Recursive Object Merge
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T16:15:17.281Z

Reserved: 2026-05-04T15:17:09.331Z

Link: CVE-2026-43896

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:37.530

Modified: 2026-05-12T17:16:20.693

Link: CVE-2026-43896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:45:08Z

Weaknesses