Skip to main content

jq CVE-2026-40612

| EUVDEUVD-2026-29161 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-11 GitHub_M
5.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.6 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
5.4 (MEDIUM)
CVE Published
May 11, 2026 - 17:16 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

AnalysisAI

jq 1.8.1 and earlier are vulnerable to stack exhaustion via unbounded recursion in the jv_contains function when processing deeply nested JSON structures. An attacker can craft a malicious JSON input with excessive nesting depth that exhausts the C stack, causing denial of service. The vulnerability requires user interaction to process the malicious input, and CVSS indicates availability impact with exploitability probability.

Technical ContextAI

jq is a lightweight command-line JSON processor implemented in C. The vulnerability lies in the jv_contains function, which recursively traverses nested arrays and objects without enforcing a depth limit. While the JSON parser itself has a safeguard capping nesting depth at 10,000 levels, the jv_contains function can be called programmatically (e.g., via reduce operations) to operate on data structures that exceed this depth. Each recursive call consumes stack space without intermediate checks, leading to stack overflow when processing sufficiently deep structures. This is a classic unbounded recursion flaw (CWE-674) where the recursive descent lacks termination or depth-limiting logic.

RemediationAI

Upgrade jq to version 1.8.2 or later when released by the jqlang project. Check the GitHub repository (https://github.com/jqlang/jq) for the latest stable release. Until patching is possible, apply strict input validation to reject JSON structures with nesting depth exceeding a safe threshold (e.g., 100-500 levels depending on system stack size) before passing them to jq. Deploy jq in restrictive execution environments (containers with reduced stack size, seccomp profiles limiting recursion) to limit the blast radius of stack exhaustion. Avoid exposing jq as a public-facing service that processes untrusted JSON; if unavoidable, implement a timeout and resource limit wrapper around jq execution to kill processes that consume excessive CPU or trigger stack exceptions.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-40612 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy