CVE-2026-40164Use of Weak Hash in JQ

CWE-328Use of Weak HashCWE-407Inefficient Algorithmic ComplexityCWE-341Predictable from Observable State5 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 89.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedApr 14

Description

jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. Thi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

CVEListV5jqlang/jq< 0c7d133c3c7e37c00b6d46b658a02244fdd3c784

🔴Vulnerability Details

1
CVEList
jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed2026-04-13

📋Vendor Advisories

1
Red Hat
jq: jq: Denial of Service via crafted JSON object causing hash collisions2026-04-13

💬Community

2
Bugzilla
CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions [fedora-all]2026-04-14
Bugzilla
CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions2026-04-14
CVE-2026-40164 — Use of Weak Hash in Jqlang JQ | cvebase