CVE-2026-33947 Overview
CVE-2026-33947 is a Stack Overflow vulnerability affecting jq, a widely-used command-line JSON processor. In versions 1.8.1 and below, the functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of approximately 65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV).
Critical Impact
This vulnerability enables denial of service through an unrecoverable crash affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins.
Affected Products
- jq versions 1.8.1 and below
- Applications and services that process untrusted JSON input through jq
- Systems using jq's setpath, getpath, or delpaths builtins
Discovery Timeline
- 2026-04-13 - CVE CVE-2026-33947 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-33947
Vulnerability Analysis
This vulnerability (CWE-674: Uncontrolled Recursion) exists because jq's path operation functions implement recursive algorithms without enforcing a maximum recursion depth. The existing MAX_PARSING_DEPTH limit of 10,000 only protects the JSON parser during initial document parsing, but does not apply to runtime path operations where arrays can be programmatically constructed to arbitrary lengths.
When processing path arrays, each element triggers a recursive call on the C call stack. By supplying a sufficiently large path array (approximately 65,000 elements), an attacker can exhaust the available stack space, causing a stack overflow that manifests as a segmentation fault (SIGSEGV). This results in an immediate, unrecoverable process crash.
Root Cause
The root cause is the absence of depth validation in the jv_setpath(), jv_getpath(), and delpaths_sorted() functions. These functions recursively process path array elements without checking the array length against any maximum threshold. While the JSON parser enforces a MAX_PARSING_DEPTH limit, this protection does not extend to runtime path operations, creating a bypass vector for resource exhaustion attacks.
Attack Vector
This is a local attack vector requiring the attacker to supply a malicious JSON document to an application or service that uses jq to process untrusted input. The attack payload consists of a flat array containing approximately 65,000 integer elements (~200 KB in size). When this array is passed as a path argument to vulnerable builtins (setpath, getpath, or delpaths), the unbounded recursion exhausts the C call stack, causing the process to crash with a SIGSEGV signal.
The fix introduces a MAX_PATH_DEPTH constant set to 10,000 and validates path array length before processing:
return t;
}
+#ifndef MAX_PATH_DEPTH
+#define MAX_PATH_DEPTH (10000)
+#endif
+
jv jv_setpath(jv root, jv path, jv value) {
if (jv_get_kind(path) != JV_KIND_ARRAY) {
jv_free(value);
jv_free(root);
jv_free(path);
return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
}
+ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
+ jv_free(value);
+ jv_free(root);
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path too deep"));
+ }
if (!jv_is_valid(root)){
jv_free(value);
jv_free(path);
Source: GitHub Commit Update
Detection Methods for CVE-2026-33947
Indicators of Compromise
- Unexpected jq process crashes with SIGSEGV signals in system logs
- JSON payloads containing unusually large flat arrays (65,000+ elements) being processed
- Core dumps from jq processes indicating stack exhaustion
- Repeated service restarts for applications using jq for JSON processing
Detection Strategies
- Monitor for SIGSEGV signals and core dumps from jq processes in system logs
- Implement input validation to detect and reject JSON documents with excessively large arrays before passing to jq
- Use application-level monitoring to track jq process health and restart frequency
- Deploy runtime protection solutions like SentinelOne to detect and alert on abnormal process crashes
Monitoring Recommendations
- Configure centralized logging to capture process crash events associated with jq
- Set up alerting thresholds for jq process failures to detect potential exploitation attempts
- Monitor inbound JSON payloads for anomalous array sizes that could indicate attack attempts
- Enable crash reporting and stack trace collection for forensic analysis
How to Mitigate CVE-2026-33947
Immediate Actions Required
- Update jq to a version containing commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f or later
- Implement input validation to limit the size and depth of JSON arrays before processing with jq
- Review applications that process untrusted JSON input through jq and assess exposure
- Consider temporarily disabling use of setpath, getpath, and delpaths builtins with untrusted input
Patch Information
The vulnerability has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f. This patch introduces a MAX_PATH_DEPTH constant (defaulting to 10,000) that limits the maximum path array length accepted by jv_setpath() and related functions. When a path exceeds this limit, the function returns an invalid value with the error message "Path too deep" instead of recursing. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Validate and limit the length of JSON arrays before passing them to jq's path operations
- Implement application-level depth checks on JSON path arguments before invoking jq
- Use process isolation or sandboxing to limit the impact of jq crashes on critical services
- Consider pre-filtering untrusted JSON input to reject documents with arrays exceeding 10,000 elements
# Configuration example: Validate JSON array depth before processing with jq
# Pre-check the maximum array length in untrusted input
MAX_ALLOWED_DEPTH=9999
ARRAY_LENGTH=$(echo "$JSON_INPUT" | jq 'if type == "array" then length else 0 end')
if [ "$ARRAY_LENGTH" -gt "$MAX_ALLOWED_DEPTH" ]; then
echo "Error: Input array exceeds maximum allowed depth"
exit 1
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
