Skip to main content

jq CVE-2026-43896

| EUVD-2026-29174 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-11 GitHub_M
Denial Of Service Red Hat
6.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVE Published
May 11, 2026 - 17:24 nvd
MEDIUM 6.2

DescriptionNVD

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

AnalysisAI

Unbounded recursion in jq 1.8.1 and earlier causes denial of service via crafted jq programs using the * operator on nested objects, resulting in process crash with segmentation fault. Local attackers can exploit this vulnerability without authentication to crash jq processes, affecting any system processing untrusted jq filter logic.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-43896 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy