Description
jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
Published: 2026-06-25
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

jq, a command‑line JSON processor, has a flaw that can cause a stack overflow when comparing two deeply nested JSON arrays with the == operator. The lack of a recursion guard in jq’s structural comparison code leads to uncontrolled recursion, ultimately crashing the program. The impact is a denial of service; the attacker cannot gain arbitrary code execution but can make the tool or any service that relies on it unavailable. The weakness corresponds to CWE‑674, uncontrolled recursion, and CWE‑770, excessive memory allocation.

Affected Systems

The vulnerability affects all installations of jqlang’s jq version earlier than 1.8.2. Any environment that runs jq on user‑supplied or untrusted JSON – such as scripts, build pipelines, or data‑processing services – can be impacted. Updated releases from 1.8.2 onward are not affected.

Risk and Exploitability

With a CVSS score of 6.8, the risk is moderate. No EPSS data are available, and the issue is not listed in CISA’s KEV catalog, suggesting it is not widely exploited yet. The exploit requires the attacker to supply or influence deeply nested JSON to jq, which can be feasible in contexts where untrusted data are fed to jq, like web services or CI/CD scripts. Due to the lack of a remote code execution vector, the primary threat is service interruption rather than full compromise.

Generated by OpenCVE AI on June 26, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jq to version 1.8.2 or later to eliminate the recursion guard deficiency.
  • If upgrade is not immediately possible, validate the depth of JSON inputs to jq by filtering or rejecting extremely nested structures.
  • Run jq in a restricted environment or sandbox to prevent a denial-of-service from impacting critical services.

Generated by OpenCVE AI on June 26, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4661-1 jq security update
Debian DLA Debian DLA DLA-4662-1 jq security update
History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
Title jq: stack overflow in deep structural equality
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:42:45.982Z

Reserved: 2026-05-19T22:36:16.882Z

Link: CVE-2026-47770

cve-icon Vulnrichment

Updated: 2026-06-26T17:50:45.757Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T17:22:21Z

Links: CVE-2026-47770 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T01:30:17Z

Weaknesses
  • CWE-674

    Uncontrolled Recursion

  • CWE-770

    Allocation of Resources Without Limits or Throttling