PT-2026-39709 · Jq · Jq
Califmonk
·
Published
2026-05-11
·
Updated
2026-07-07
·
CVE-2026-40612
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
jq versions prior to 1.8.2
Description
The
jv contains() function recurses into nested arrays and objects without a depth limit. When processing a sufficiently nested input structure, this can lead to C stack exhaustion, causing the application to crash.Recommendations
Update to a version later than 1.8.1.
As a temporary workaround, restrict the use of the
jv contains() function when processing deeply nested JSON structures.Exploit
Fix
Uncontrolled Recursion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jq