CVE-2026-40612 Overview
CVE-2026-40612 is a stack exhaustion vulnerability in jq, the widely deployed command-line JSON processor maintained by jqlang. Versions 1.8.1 and earlier contain an unbounded recursion in the jv_contains function, which descends into nested arrays and objects without a depth limit. An attacker who can supply a sufficiently nested JSON structure can exhaust the C stack and crash the process. The issue is tracked under CWE-674: Uncontrolled Recursion and was disclosed through a GitHub Security Advisory.
Critical Impact
A locally supplied nested JSON input crafted with reduce triggers unbounded recursion in jv_contains, exhausting the C stack and causing denial of service in any pipeline that invokes jq with contains semantics on untrusted input.
Affected Products
- jqlang jq 1.8.1
- jqlang jq all prior 1.x releases
- Any tooling, CI pipeline, or shell script that pipes untrusted JSON into jq with contains-based filters
Discovery Timeline
- 2026-05-11 - CVE-2026-40612 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40612
Vulnerability Analysis
The defect resides in jv_contains, the internal routine that implements the contains builtin in jq. The function walks both operands recursively to determine whether one JSON value is contained within another. Each level of nesting consumes one C stack frame, and the implementation enforces no depth ceiling.
The JSON parser in jq does cap nesting at depth 10000, which would normally bound the recursion. However, values constructed at runtime using reduce bypass that parser-side limit. An attacker who can influence a jq program or its input can therefore build a structure deep enough to overflow the thread stack, terminating the process with a segmentation fault.
Root Cause
The root cause is missing depth tracking inside jv_contains. The function relies implicitly on the parser cap rather than enforcing its own iterative bound or explicit recursion guard. Once the runtime-constructed value exceeds the available stack, the host operating system delivers SIGSEGV and jq terminates abnormally.
Attack Vector
Exploitation requires local access and user interaction, consistent with the published CVSS 4.0 vector. The realistic delivery path is an automation pipeline, a CI job, or a developer workflow that invokes jq against attacker-influenced JSON or attacker-supplied filter expressions. The impact is confined to availability: jq crashes, breaking the pipeline. No confidentiality or integrity loss is described in the advisory, and no public proof of concept or exploit is currently catalogued.
For technical detail on the recursion path and the reduce-based construction pattern, refer to the jqlang security advisory GHSA-r7m6-x9c7-h69j.
Detection Methods for CVE-2026-40612
Indicators of Compromise
- jq processes terminating with SIGSEGV or exit code 139 when processing JSON inputs.
- Crash dumps or dmesg entries referencing jq and a stack overflow in jv_contains.
- CI/CD job failures correlated with unusually large or deeply nested JSON payloads.
Detection Strategies
- Inventory hosts and container images running jq at version 1.8.1 or earlier using software composition analysis or package manager queries (jq --version, dpkg -l jq, rpm -q jq).
- Alert on repeated abnormal terminations of jq in build agents, log processors, and data pipelines.
- Inspect jq filter strings in source repositories for contains usage applied to untrusted input without prior depth validation.
Monitoring Recommendations
- Forward process exit telemetry and core-dump events from Linux endpoints and build infrastructure to a central analytics tier for correlation.
- Track outbound jq invocations in container workloads and flag those consuming JSON from external HTTP sources.
- Monitor package inventory drift to confirm patched jq versions remain deployed after remediation.
How to Mitigate CVE-2026-40612
Immediate Actions Required
- Upgrade jq to a release later than 1.8.1 as soon as the jqlang project publishes a fixed version; track the GHSA-r7m6-x9c7-h69j advisory for the patched build.
- Audit pipelines that feed external JSON into jq and constrain input size and nesting at the ingress layer.
- Run jq under resource limits so a crash cannot cascade into broader service disruption.
Patch Information
The jqlang maintainers tracked remediation through GitHub Security Advisory GHSA-r7m6-x9c7-h69j. Consult the advisory for the fixed release tag and apply the upgrade through your distribution package manager or container base image refresh once available.
Workarounds
- Pre-validate JSON inputs with a streaming parser that enforces a strict maximum nesting depth before invoking jq.
- Avoid contains against untrusted values; substitute equality checks or explicit field comparisons where feasible.
- Execute jq inside a sandbox with ulimit -s reduced and CPU and memory caps applied so a stack overflow terminates only the isolated process.
# Constrain jq execution to limit blast radius of a stack-exhaustion crash
ulimit -s 2048 # cap stack size (KB) for the current shell
ulimit -t 10 # cap CPU seconds
ulimit -v 262144 # cap virtual memory (KB)
# Reject inputs above a conservative size threshold before piping to jq
MAX_BYTES=1048576
if [ "$(wc -c < input.json)" -gt "$MAX_BYTES" ]; then
echo "input too large" >&2
exit 1
fi
jq '.field | contains("value")' input.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
