CVE-2026-47770 - Vulnerability Details

Description

jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.

Published: 2026-06-25

Score: 6.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

jq, a command‑line JSON processor, has a flaw that can cause a stack overflow when comparing two deeply nested JSON arrays with the == operator. The lack of a recursion guard in jq’s structural comparison code leads to uncontrolled recursion, ultimately crashing the program. The impact is a denial of service; the attacker cannot gain arbitrary code execution but can make the tool or any service that relies on it unavailable. The weakness corresponds to CWE‑674, uncontrolled recursion.

Affected Systems

The vulnerability affects all installations of jqlang’s jq version earlier than 1.8.2. Any environment that runs jq on user‑supplied or untrusted JSON – such as scripts, build pipelines, or data‑processing services – can be impacted. Updated releases from 1.8.2 onward are not affected.

Risk and Exploitability

With a CVSS score of 6.8, the risk is moderate. No EPSS data are available, and the issue is not listed in CISA’s KEV catalog, suggesting it is not widely exploited yet. The exploit requires the attacker to supply or influence deeply nested JSON to jq, which can be feasible in contexts where untrusted data are fed to jq, like web services or CI/CD scripts. Due to the lack of a remote code execution vector, the primary threat is service interruption rather than full compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jqlang

affected

Version	Status	Constraints
`< 1.8.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade jq to version 1.8.2 or later to eliminate the recursion guard deficiency.
If upgrade is not immediately possible, validate the depth of JSON inputs to jq by filtering or rejecting extremely nested structures.
Run jq in a restricted environment or sandbox to prevent a denial-of-service from impacting critical services.

Generated by OpenCVE AI on June 25, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp

History

Thu, 25 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
Title		jq: stack overflow in deep structural equality
Weaknesses		CWE-674
References		https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp
Metrics		cvssV4_0 `{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T17:22:21.531Z

Updated: 2026-06-25T17:22:21.531Z

Reserved: 2026-05-19T22:36:16.882Z

Link: CVE-2026-47770

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T19:00:08Z

Weaknesses

CWE-674
Uncontrolled Recursion

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object