CVE-2026-40612
published 2026-05-11CVE-2026-40612: jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested…
PriorityP419medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.16%
5.7th percentile
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.05.4MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: stack overflow via unbounded recursion in jv_contains
vendor_redhat·2026-05-11·CVSS 5.4
CVE-2026-40612 [MEDIUM] CWE-674 jq: stack overflow via unbounded recursion in jv_contains
jq: stack overflow via unbounded recursion in jv_contains
A flaw was found in jq, a command line JSON processor. The `jv_contains` function does not have a depth limit when processing nested arrays or objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.
Statement: To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq with the `jv_contains` function. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity.
Mitigation: Do not process untrusted input with the jq command line JSON processor.
Pac
VulDB
jqlang jq up to 1.8.1 JSON Parser recursion (GHSA-r7m6-x9c7-h69j)
vuldb·2026-05-11·CVSS 5.4
CVE-2026-40612 [MEDIUM] jqlang jq up to 1.8.1 JSON Parser recursion (GHSA-r7m6-x9c7-h69j)
A vulnerability marked as problematic has been reported in jqlang jq up to 1.8.1. This vulnerability affects unknown code of the component JSON Parser. This manipulation causes uncontrolled recursion.
This vulnerability is registered as CVE-2026-40612. Remote exploitation of the attack is possible. No exploit is available.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-40612 jq: stack overflow via unbounded recursion in jv_contains [fedora-all]
bugzilla·2026-05-13·CVSS 5.4
CVE-2026-40612 [MEDIUM] CVE-2026-40612 jq: stack overflow via unbounded recursion in jv_contains [fedora-all]
CVE-2026-40612 jq: stack overflow via unbounded recursion in jv_contains [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-40612 jq: stack overflow via unbounded recursion in jv_contains
bugzilla·2026-05-11·CVSS 5.4
CVE-2026-40612 [MEDIUM] CVE-2026-40612 jq: stack overflow via unbounded recursion in jv_contains
CVE-2026-40612 jq: stack overflow via unbounded recursion in jv_contains
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
2026-05-11
Published