CVE-2026-43896
published 2026-05-11CVE-2026-43896: jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process…
PriorityP423medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.15%
4.9th percentile
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.1 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: stack overflow in recursive object merge
vendor_redhat·2026-05-11·CVSS 5.5
CVE-2026-43896 [MEDIUM] CWE-674 jq: stack overflow in recursive object merge
jq: stack overflow in recursive object merge
A flaw was found in jq, a command line JSON processor. The `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects, does not have a depth limit when processing nested objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.
Statement: To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq with the `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this vulnerabilit
VulDB
jqlang jq up to 1.8.1 jv_object_merge_recursive recursion (GHSA-mg96-6h3q-g846)
vuldb·2026-05-11·CVSS 6.2
CVE-2026-43896 [MEDIUM] jqlang jq up to 1.8.1 jv_object_merge_recursive recursion (GHSA-mg96-6h3q-g846)
A vulnerability classified as problematic was found in jqlang jq up to 1.8.1. The affected element is the function jv_object_merge_recursive. Executing a manipulation can lead to uncontrolled recursion.
This vulnerability appears as CVE-2026-43896. The attack requires local access. There is no available exploit.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-43896 jq: stack overflow in recursive object merge [fedora-all]
bugzilla·2026-05-13·CVSS 5.5
CVE-2026-43896 [MEDIUM] CVE-2026-43896 jq: stack overflow in recursive object merge [fedora-all]
CVE-2026-43896 jq: stack overflow in recursive object merge [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-43896 jq: stack overflow in recursive object merge
bugzilla·2026-05-11·CVSS 5.5
CVE-2026-43896 [MEDIUM] CVE-2026-43896 jq: stack overflow in recursive object merge
CVE-2026-43896 jq: stack overflow in recursive object merge
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
2026-05-11
Published