Stack Exhaustion Vulnerability in jq Command-Line JSON Processor by JQLang
CVE-2026-40612

5.4MEDIUM

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-40612?

The jq command-line JSON processor, specifically versions 1.8.1 and earlier, contains a vulnerability in its jv_contains function that allows for unbounded recursion into nested arrays or objects. This lack of a depth limit potentially leads to stack exhaustion when handling deeply nested structures, which can be crafted programmatically beyond the JSON parser's depth cap. As a result, this vulnerability presents a risk of denial of service, impacting the functionality of jq when processing complex JSON inputs.

Affected Version(s)

jq <= 1.8.1

References

https://github.com/jqlang/jq/security/advisories/GHSA-r7m...

x_refsource_CONFIRM

CVSS V4

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40612 Data

JSON

Jqlang

What is CVE-2026-40612?

Affected Version(s)

References

CVSS V4

Timeline