CVE-2026-47770

UNKNOWN 0.0

jq: stack overflow in deep structural equality

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.

CWE	CWE-674
Vendor	jqlang
Product	jq
Published	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for jqlang jq

Be the first to know when new unknown vulnerabilities affecting jqlang jq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

jqlang / jq

< 1.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxp