CVE-2026-43896
jq Stack Overflow via Unbounded Recursion in Object Merge
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the jq library (version 1.8.1 and earlier) and is caused by unbounded recursion in the function jv_object_merge_recursive(). This function merges nested JSON objects without limiting the depth, which can lead to a stack overflow.
The issue is triggered when the * operator is used to merge two objects, causing the function to recurse indefinitely if the objects have deeply nested matching keys. This results in a segmentation fault that crashes the jq process.
An attacker can exploit this by providing a specially crafted jq program or input designed to cause this deep recursion and crash the process, leading to a denial of service.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. When exploited, it causes the jq process to crash due to a stack overflow triggered by unbounded recursion.
This crash can disrupt any system or application relying on jq for JSON processing, potentially causing interruptions in service or failure of automated workflows.
However, the vulnerability does not allow for code execution or privilege escalation because stack guard protections prevent exploitation beyond the crash.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing crashes or segmentation faults in the jq process when processing JSON data involving the * operator on deeply nested objects.
A practical detection method is to run a test jq command that merges deeply nested objects to see if it causes a crash.
For example, a crafted jq program that merges an object nested tens of thousands of levels deep with itself can trigger the vulnerability.
While no exact command is provided, a detection approach involves running jq with a JSON input that exercises the * operator on deeply nested objects and monitoring for segmentation faults.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves avoiding the use of jq versions 1.8.1 and earlier, as these contain the vulnerable function.
If possible, upgrade jq to a version later than 1.8.1 where this vulnerability is fixed.
Additionally, avoid processing untrusted or crafted JSON inputs that use the * operator on deeply nested objects.
Monitoring jq processes for crashes and limiting the depth of JSON objects processed can also help mitigate the risk.