CVE-2026-43896

Published: Mag 11, 2026 Last Modified: Mag 11, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,2

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

674

Uncontrolled Recursion

Draft

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Availability Confidentiality

Potential Impacts:

Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Read Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/jqlang/jq/security/advisories/GHSA-mg96-…

https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846

CVE-2026-43896

Description

Uncontrolled Recursion

Common Consequences

Applicable Platforms

Iscriviti alla newsletter