CVE-2026-40612
jq: Stack overflow via unbounded recursion in jv_contains
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.
| CWE | CWE-674 |
| Vendor | jqlang |
| Product | jq |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for jqlang jq
Be the first to know when new unknown vulnerabilities affecting jqlang jq are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
jqlang / jq
<= 1.8.1