CVE-2026-43896
Received Received - Intake
jq Stack Overflow via Unbounded Recursion in Object Merge

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43896
EUVD
EUVD-2026-29174
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq to 1.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the jq library (version 1.8.1 and earlier) and is caused by unbounded recursion in the function jv_object_merge_recursive(). This function merges nested JSON objects without limiting the depth, which can lead to a stack overflow.

The issue is triggered when the * operator is used to merge two objects, causing the function to recurse indefinitely if the objects have deeply nested matching keys. This results in a segmentation fault that crashes the jq process.

An attacker can exploit this by providing a specially crafted jq program or input designed to cause this deep recursion and crash the process, leading to a denial of service.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. When exploited, it causes the jq process to crash due to a stack overflow triggered by unbounded recursion.

This crash can disrupt any system or application relying on jq for JSON processing, potentially causing interruptions in service or failure of automated workflows.

However, the vulnerability does not allow for code execution or privilege escalation because stack guard protections prevent exploitation beyond the crash.

Detection Guidance

This vulnerability can be detected by observing crashes or segmentation faults in the jq process when processing JSON data involving the * operator on deeply nested objects.

A practical detection method is to run a test jq command that merges deeply nested objects to see if it causes a crash.

For example, a crafted jq program that merges an object nested tens of thousands of levels deep with itself can trigger the vulnerability.

While no exact command is provided, a detection approach involves running jq with a JSON input that exercises the * operator on deeply nested objects and monitoring for segmentation faults.

Mitigation Strategies

Immediate mitigation involves avoiding the use of jq versions 1.8.1 and earlier, as these contain the vulnerable function.

If possible, upgrade jq to a version later than 1.8.1 where this vulnerability is fixed.

Additionally, avoid processing untrusted or crafted JSON inputs that use the * operator on deeply nested objects.

Monitoring jq processes for crashes and limiting the depth of JSON objects processed can also help mitigate the risk.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart