Skip to main content

CVE-2026-40164

HIGH
Use of Weak Hash (CWE-328)
2026-04-14 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch released
Apr 19, 2026 - 08:30 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
HIGH 7.5

DescriptionCVE.org

jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

AnalysisAI

Algorithmic complexity attack in jq JSON processor allows remote denial of service via hash collision exploitation. An attacker can craft a ~100KB JSON object with precomputed colliding keys that degrade hash table performance from O(1) to O(n²), causing severe CPU exhaustion in unauthenticated network contexts including CI/CD pipelines and web services. The vulnerability stems from a hardcoded MurmurHash3 seed (0x432A9843) that enables offline collision calculation. Fixed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. CVSS 7.5 (High severity, network-exploitable, no authentication required). No public exploit identified at time of analysis, but attack technique is well-documented and feasible.

Technical ContextAI

The vulnerability exploits a weak hash table implementation in jq's JSON object processing engine. jq uses MurmurHash3 for internal hash table operations with a hardcoded seed value (0x432A9843) that is visible in the source code. Hash functions with static seeds are vulnerable to precomputation attacks where adversaries can calculate colliding inputs offline. In this case, an attacker can craft JSON keys that all hash to the same bucket, forcing the hash table to degrade to a linked list with O(n) lookup time. When jq processes such an object, operations that normally complete in constant time become quadratic O(n²), as each lookup must traverse the entire collision chain and jq may perform multiple lookups per operation. This is classified as CWE-328 (Use of Weak Hash) because the predictable seed enables collision prediction. The attack requires only ~100KB of crafted JSON, making it far more practical than traditional memory-based DoS attacks. The fix randomizes the hash seed per process instance, preventing offline precomputation of collisions.

Affected ProductsAI

The vulnerability affects jq JSON processor versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 in the jqlang/jq repository. All production deployments using jq for processing untrusted JSON input are vulnerable, including installations via package managers (apt, yum, brew, chocolatey), containerized deployments, embedded jq libraries in web applications, and CI/CD pipeline integrations. The issue is present in the core jq codebase regardless of platform (Linux, macOS, Windows) or installation method. Vendor advisory available at https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29 provides detailed technical analysis and confirmation of affected versions.

RemediationAI

Upgrade to jq version containing commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 or later. Users compiling from source should pull the latest main branch from https://github.com/jqlang/jq and rebuild. For package manager installations, monitor vendor repositories for updated packages incorporating this fix and apply updates immediately upon availability. As an interim mitigation where patching is delayed, implement input validation to restrict JSON object size (reject payloads exceeding reasonable application limits, typically under 10KB for most use cases) and enforce processing timeouts to prevent indefinite CPU consumption. Consider rate limiting or sandboxing jq processes in multi-tenant or public-facing environments. Review application logs for unusual CPU spikes or slow jq operations that may indicate exploitation attempts. Organizations using jq in CI/CD pipelines should audit which sources provide JSON input and apply least-privilege access controls. Full technical details and patch information available at https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-40164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy