CVE-2026-33947

Name of the Vulnerable Software and Affected Versions jq versions 1.8.1 and earlier

Description A command-line JSON processor is subject to a denial of service. The functions jv setpath(), jv getpath(), and delpaths sorted() in src/jv aux.c use unbounded recursion where the depth is controlled by the length of a caller-supplied path array. An attacker can supply a JSON document containing a flat array of approximately 65,000 integers that exhausts the C call stack, resulting in a segmentation fault (SIGSEGV) and a process crash. This occurs because the MAX PARSING DEPTH limit only protects the JSON parser and not runtime path operations.

Recommendations Apply the fix provided in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f. Restrict the use of setpath, getpath, and delpaths builtins when processing untrusted JSON input to minimize the risk of exploitation.