CVE-2026-40612
Stack Overflow in jq JSON Processor
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-40612 vulnerability in the jq library is caused by unbounded recursion in the function `jv_contains`. This function processes nested arrays or objects without any limit on the depth of recursion. When given a deeply nested input structure, the recursion can exhaust the C stack, leading to a stack overflow.
Specifically, functions like `jvp_array_contains` and `jvp_object_contains` call `jv_contains` recursively without controlling how deep the recursion goes. An attacker can exploit this by providing a specially crafted input with very deep nesting, causing the stack to overflow.
On Linux systems with default stack guard pages, this results in a clean denial-of-service condition via a SIGSEGV signal. However, if stack guard pages are not present, the overflow could corrupt adjacent heap memory or other threads' stacks, which could lead to more severe consequences.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition in applications using the jq library. When exploited, the stack overflow can crash the program processing JSON data, leading to service interruptions.
On systems without proper stack guard protections, the vulnerability could lead to memory corruption, potentially affecting other parts of the application or system, which might result in unpredictable behavior or security breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the jq command-line tool with deeply nested JSON input structures that cause the jv_contains function to recurse without depth limits, leading to stack exhaustion.
A practical approach is to create or use a programmatically generated JSON input with very deep nesting (beyond typical parser limits) and pass it to jq commands that use jv_contains, observing if jq crashes with a segmentation fault (SIGSEGV) or similar stack overflow symptoms.
Example command to test jq with a deeply nested JSON input might be:
- Generate a deeply nested JSON structure (e.g., using a script or tool that creates nested arrays or objects).
- Pass the nested JSON to jq with a filter that triggers jv_contains, for example: `jq 'contains(...)' nested.json` where `contains` uses the vulnerable recursion.
If jq crashes or exits with a segmentation fault, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of jq versions up to and including 1.8.1 on untrusted or user-supplied JSON inputs that may be deeply nested.
If possible, update jq to a version where this vulnerability is fixed or apply patches that introduce depth-limiting in the jv_contains recursion.
Additionally, implement input validation or limit the depth of JSON inputs before processing them with jq to prevent triggering the stack overflow.
On Linux systems, ensure that stack guard pages are enabled to help contain the impact of stack overflows, resulting in a clean crash rather than memory corruption.