CVE-2026-47770
Undergoing Analysis Undergoing Analysis - In Progress
Stack Overflow in jq JSON Processor via Deep Array Comparison

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-47770
EUVD
EUVD-2026-39501
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
stedolan jq 1.8.2
jqlang jq 1.8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in jq, a command-line JSON processor, in versions prior to 1.8.2. When comparing two deeply nested JSON arrays using the == operator, jq's recursive comparison code can exhaust the C stack due to uncontrolled recursion. This happens in functions like jvp_array_equal() and jv_equal() when handling deeply nested arrays, causing a denial of service via stack exhaustion. The issue also affects a sort comparator path through jv_cmp() which overflows the stack at even larger nesting depths. Essentially, if jq processes attacker-controlled deeply nested JSON data or is embedded in a context where untrusted data reaches the comparison path, it can crash.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). If an attacker provides deeply nested JSON data to jq, it can cause jq to crash by exhausting the stack. This can disrupt services or applications that rely on jq for JSON processing, especially if they process untrusted or attacker-controlled input. The crash results from stack overflow due to uncontrolled recursion during JSON comparison operations.

Mitigation Strategies

To mitigate this vulnerability, upgrade jq to version 1.8.2 or later, where the issue has been fixed.

Avoid running jq comparisons on deeply nested JSON values from untrusted sources, especially those using the == operator.

Compliance Impact

The vulnerability in jq causes a denial-of-service condition via stack exhaustion when processing deeply nested JSON arrays. It does not involve memory corruption, data leakage, or unauthorized access.

Because the impact is limited to denial-of-service and does not involve compromise of data confidentiality or integrity, there is no direct indication that this vulnerability affects compliance with standards such as GDPR or HIPAA.

However, if jq is used in environments processing sensitive or regulated data, denial-of-service conditions could indirectly impact availability requirements under such regulations.

Detection Guidance

This vulnerability can be detected by testing jq's behavior when comparing deeply nested JSON arrays using the equality operator (==). Specifically, you can create or obtain JSON data with very deeply nested arrays and run jq commands that compare these arrays to observe if jq crashes or exhausts the stack.

A practical approach is to craft JSON files with nested arrays at increasing depths and run jq commands that perform equality comparisons on them. If jq crashes or terminates unexpectedly during these comparisons, it indicates the presence of the vulnerability.

Example command to test jq with deeply nested arrays (replace nested.json with your crafted JSON file):

  • jq '.[0] == .[1]' nested.json

If jq crashes or results in a denial of service, it suggests the vulnerability is present. Note that the vulnerability affects jq versions prior to 1.8.2.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47770. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart