CVE-2026-33947Uncontrolled Recursion in JQ

CWE-674Uncontrolled Recursion5 documents4 sources
Severity
6.2MEDIUMNVD
EPSS
0.0%
top 98.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedApr 13
Latest updateApr 14

Description

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation faul

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages1 packages

CVEListV5jqlang/jq< fb59f1491058d58bdc3e8dd28f1773d1ac690a1f

🔴Vulnerability Details

1
CVEList
jq: Unbounded Recursion in jv_setpath(), jv_getpath() and delpaths_sorted()2026-04-13

📋Vendor Advisories

1
Red Hat
jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted()2026-04-13

💬Community

2
Bugzilla
CVE-2026-33947 jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted() [fedora-all]2026-04-14
Bugzilla
CVE-2026-33947 jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted()2026-04-13
CVE-2026-33947 — Uncontrolled Recursion in Jqlang JQ | cvebase