CVE-2026-40612

Published: Mag 11, 2026 Last Modified: Mag 11, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,4
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: passive
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

674

Uncontrolled Recursion

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Availability Confidentiality
Potential Impacts:
Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Read Application Data
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-…
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-…
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j