Skip to main content

jq EUVDEUVD-2026-29174

| CVE-2026-43896 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-11 GitHub_M
6.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVE Published
May 11, 2026 - 17:24 nvd
MEDIUM 6.2

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

AnalysisAI

Unbounded recursion in jq 1.8.1 and earlier causes denial of service via crafted jq programs using the * operator on nested objects, resulting in process crash with segmentation fault. Local attackers can exploit this vulnerability without authentication to crash jq processes, affecting any system processing untrusted jq filter logic.

Technical ContextAI

The vulnerability exists in the jv_object_merge_recursive() function within jq's object merging logic. CWE-674 (Uncontrolled Recursion) indicates the root cause: the function lacks proper depth limits or cycle detection when recursively merging nested object structures. The * operator in jq performs object multiplication (merge operation), and when both operands are deeply nested objects with recursive references or complex nesting patterns, the function enters unbounded recursion, exhausting the call stack and triggering a segmentation fault. This affects the jq command-line processor (cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*) across all versions up to and including 1.8.1.

RemediationAI

Upgrade to jq 1.8.2 or later, which includes fixes for unbounded recursion in jv_object_merge_recursive(). If immediate upgrade is not feasible, implement input validation by restricting or sanitizing jq filter programs to exclude nested object multiplication operations on untrusted input, or run jq in isolated processes with resource limits (ulimit -s to cap stack size) to contain crash impact. Refer to GitHub security advisory GHSA-mg96-6h3q-g846 for patched version availability and additional mitigation guidance. The stack limit mitigation trades processing capability (may reject legitimate deep-nesting filters) but prevents system-wide impact of a single jq crash.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

EUVD-2026-29174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy