Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33947

CVE-2026-33947: jq JSON Processor DoS Vulnerability

CVE-2026-33947 is a denial of service flaw in jq command-line JSON processor caused by unbounded recursion in path operations. Attackers can crash the process with crafted arrays. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-33947 Overview

CVE-2026-33947 is a Stack Overflow vulnerability affecting jq, a widely-used command-line JSON processor. In versions 1.8.1 and below, the functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of approximately 65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV).

Critical Impact

This vulnerability enables denial of service through an unrecoverable crash affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins.

Affected Products

  • jq versions 1.8.1 and below
  • Applications and services that process untrusted JSON input through jq
  • Systems using jq's setpath, getpath, or delpaths builtins

Discovery Timeline

  • 2026-04-13 - CVE CVE-2026-33947 published to NVD
  • 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-33947

Vulnerability Analysis

This vulnerability (CWE-674: Uncontrolled Recursion) exists because jq's path operation functions implement recursive algorithms without enforcing a maximum recursion depth. The existing MAX_PARSING_DEPTH limit of 10,000 only protects the JSON parser during initial document parsing, but does not apply to runtime path operations where arrays can be programmatically constructed to arbitrary lengths.

When processing path arrays, each element triggers a recursive call on the C call stack. By supplying a sufficiently large path array (approximately 65,000 elements), an attacker can exhaust the available stack space, causing a stack overflow that manifests as a segmentation fault (SIGSEGV). This results in an immediate, unrecoverable process crash.

Root Cause

The root cause is the absence of depth validation in the jv_setpath(), jv_getpath(), and delpaths_sorted() functions. These functions recursively process path array elements without checking the array length against any maximum threshold. While the JSON parser enforces a MAX_PARSING_DEPTH limit, this protection does not extend to runtime path operations, creating a bypass vector for resource exhaustion attacks.

Attack Vector

This is a local attack vector requiring the attacker to supply a malicious JSON document to an application or service that uses jq to process untrusted input. The attack payload consists of a flat array containing approximately 65,000 integer elements (~200 KB in size). When this array is passed as a path argument to vulnerable builtins (setpath, getpath, or delpaths), the unbounded recursion exhausts the C call stack, causing the process to crash with a SIGSEGV signal.

The fix introduces a MAX_PATH_DEPTH constant set to 10,000 and validates path array length before processing:

c
   return t;
 }
 
+#ifndef MAX_PATH_DEPTH
+#define MAX_PATH_DEPTH (10000)
+#endif
+
 jv jv_setpath(jv root, jv path, jv value) {
   if (jv_get_kind(path) != JV_KIND_ARRAY) {
     jv_free(value);
     jv_free(root);
     jv_free(path);
     return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
   }
+  if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+    jv_free(value);
+    jv_free(root);
+    jv_free(path);
+    return jv_invalid_with_msg(jv_string("Path too deep"));
+  }
   if (!jv_is_valid(root)){
     jv_free(value);
     jv_free(path);

Source: GitHub Commit Update

Detection Methods for CVE-2026-33947

Indicators of Compromise

  • Unexpected jq process crashes with SIGSEGV signals in system logs
  • JSON payloads containing unusually large flat arrays (65,000+ elements) being processed
  • Core dumps from jq processes indicating stack exhaustion
  • Repeated service restarts for applications using jq for JSON processing

Detection Strategies

  • Monitor for SIGSEGV signals and core dumps from jq processes in system logs
  • Implement input validation to detect and reject JSON documents with excessively large arrays before passing to jq
  • Use application-level monitoring to track jq process health and restart frequency
  • Deploy runtime protection solutions like SentinelOne to detect and alert on abnormal process crashes

Monitoring Recommendations

  • Configure centralized logging to capture process crash events associated with jq
  • Set up alerting thresholds for jq process failures to detect potential exploitation attempts
  • Monitor inbound JSON payloads for anomalous array sizes that could indicate attack attempts
  • Enable crash reporting and stack trace collection for forensic analysis

How to Mitigate CVE-2026-33947

Immediate Actions Required

  • Update jq to a version containing commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f or later
  • Implement input validation to limit the size and depth of JSON arrays before processing with jq
  • Review applications that process untrusted JSON input through jq and assess exposure
  • Consider temporarily disabling use of setpath, getpath, and delpaths builtins with untrusted input

Patch Information

The vulnerability has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f. This patch introduces a MAX_PATH_DEPTH constant (defaulting to 10,000) that limits the maximum path array length accepted by jv_setpath() and related functions. When a path exceeds this limit, the function returns an invalid value with the error message "Path too deep" instead of recursing. For detailed patch information, see the GitHub Security Advisory.

Workarounds

  • Validate and limit the length of JSON arrays before passing them to jq's path operations
  • Implement application-level depth checks on JSON path arguments before invoking jq
  • Use process isolation or sandboxing to limit the impact of jq crashes on critical services
  • Consider pre-filtering untrusted JSON input to reject documents with arrays exceeding 10,000 elements
bash
# Configuration example: Validate JSON array depth before processing with jq
# Pre-check the maximum array length in untrusted input
MAX_ALLOWED_DEPTH=9999
ARRAY_LENGTH=$(echo "$JSON_INPUT" | jq 'if type == "array" then length else 0 end')
if [ "$ARRAY_LENGTH" -gt "$MAX_ALLOWED_DEPTH" ]; then
    echo "Error: Input array exceeds maximum allowed depth"
    exit 1
fi

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.