Executive Summary

The CVE-2026-40612 vulnerability in the jq library is caused by unbounded recursion in the function `jv_contains`. This function processes nested arrays or objects without any limit on the depth of recursion. When given a deeply nested input structure, the recursion can exhaust the C stack, leading to a stack overflow.

Specifically, functions like `jvp_array_contains` and `jvp_object_contains` call `jv_contains` recursively without controlling how deep the recursion goes. An attacker can exploit this by providing a specially crafted input with very deep nesting, causing the stack to overflow.

On Linux systems with default stack guard pages, this results in a clean denial-of-service condition via a SIGSEGV signal. However, if stack guard pages are not present, the overflow could corrupt adjacent heap memory or other threads' stacks, which could lead to more severe consequences.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition in applications using the jq library. When exploited, the stack overflow can crash the program processing JSON data, leading to service interruptions.

On systems without proper stack guard protections, the vulnerability could lead to memory corruption, potentially affecting other parts of the application or system, which might result in unpredictable behavior or security breaches.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the jq command-line tool with deeply nested JSON input structures that cause the jv_contains function to recurse without depth limits, leading to stack exhaustion.

A practical approach is to create or use a programmatically generated JSON input with very deep nesting (beyond typical parser limits) and pass it to jq commands that use jv_contains, observing if jq crashes with a segmentation fault (SIGSEGV) or similar stack overflow symptoms.

Example command to test jq with a deeply nested JSON input might be:

• Generate a deeply nested JSON structure (e.g., using a script or tool that creates nested arrays or objects).
• Pass the nested JSON to jq with a filter that triggers jv_contains, for example: `jq 'contains(...)' nested.json` where `contains` uses the vulnerable recursion.

If jq crashes or exits with a segmentation fault, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include avoiding the use of jq versions up to and including 1.8.1 on untrusted or user-supplied JSON inputs that may be deeply nested.

If possible, update jq to a version where this vulnerability is fixed or apply patches that introduce depth-limiting in the jv_contains recursion.

Additionally, implement input validation or limit the depth of JSON inputs before processing them with jq to prevent triggering the stack overflow.

On Linux systems, ensure that stack guard pages are enabled to help contain the impact of stack overflows, resulting in a clean crash rather than memory corruption.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-40612 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0