PT-2026-39709 · Jq · Jq

Califmonk

·

Published

2026-05-11

·

Updated

2026-07-07

·

CVE-2026-40612

CVSS v4.0

6.8

Medium

VectorAV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions jq versions prior to 1.8.2
Description The jv contains() function recurses into nested arrays and objects without a depth limit. When processing a sufficiently nested input structure, this can lead to C stack exhaustion, causing the application to crash.
Recommendations Update to a version later than 1.8.1. As a temporary workaround, restrict the use of the jv contains() function when processing deeply nested JSON structures.

Exploit

Fix

Uncontrolled Recursion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-40612
ECHO-1E5B-F6F3-755B
GHSA-R7M6-X9C7-H69J
OESA-2026-2424
OESA-2026-2425
OESA-2026-2426
OESA-2026-2427
OESA-2026-2487
OPENSUSE-SU-2026:10850-1
OPENSUSE-SU-2026:21248-1
RHSA-2026:29986

Affected Products

Jq