Can you explain this vulnerability to me?

This vulnerability exists in jq, a command-line JSON processor, specifically in versions 1.8.1 and below. Certain functions (jv_setpath(), jv_getpath(), and delpaths_sorted()) use unbounded recursion controlled by the length of a path array supplied by the caller, without enforcing a depth limit.

An attacker can exploit this by providing a JSON document containing a very large flat array (around 65,000 integers) that, when used as a path argument, causes the jq process to exhaust the C call stack and crash with a segmentation fault (SIGSEGV).

The existing parsing depth limit (MAX_PARSING_DEPTH) only protects the JSON parser, not these runtime path operations, allowing arrays of arbitrary length to trigger this crash.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The primary impact of this vulnerability is denial of service (DoS). Any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins can be forced to crash irrecoverably.

This crash occurs because the process runs out of stack space due to unbounded recursion, resulting in a segmentation fault.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, avoid processing untrusted JSON input with jq versions 1.8.1 and below that use the affected functions jv_setpath(), jv_getpath(), and delpaths_sorted().

Update jq to a version that includes the fix from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f, which addresses the unbounded recursion issue.

As a temporary measure, restrict or validate JSON input sizes and structures to prevent extremely large flat arrays from being processed by jq's path operations.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing whether the jq process crashes or segfaults when processing JSON input containing very large flat arrays used as path arguments in the vulnerable functions.

A practical detection method is to supply jq with a JSON document containing a flat array of approximately 65,000 integers (~200 KB) as a path argument to functions like setpath, getpath, or delpaths, and observe if the process crashes with a segmentation fault.

Example command to test jq for this vulnerability (assuming jq version 1.8.1 or below):

• Generate a large JSON array: python3 -c 'import json; print(json.dumps(list(range(65000))))' > large_array.json
• Run jq with the large array as a path argument to setpath or getpath and check for crashes, for example:
• jq --argjson path "$(cat large_array.json)" 'setpath($path; 1)' input.json

If jq crashes with a segmentation fault (SIGSEGV) during this test, the system is vulnerable.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability CVE-2026-33947 causes a denial-of-service (DoS) condition by crashing the jq process when processing untrusted JSON input with excessively deep path arrays. This results in availability impact but does not affect confidentiality or integrity.

Since the vulnerability leads to service crashes and unavailability, it could indirectly affect compliance with standards and regulations such as GDPR or HIPAA that require maintaining availability and reliability of systems processing sensitive data.

However, there is no indication that this vulnerability leads to data breaches, unauthorized access, or data corruption, so its direct impact on confidentiality or integrity requirements under these regulations is minimal or none.

Organizations relying on jq in their data processing pipelines should consider this DoS risk as part of their availability controls and ensure patches or mitigations are applied to maintain compliance with availability requirements.

Useful 0 Not Useful 0