Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43896

CVE-2026-43896: Jqlang Jq DOS Vulnerability

CVE-2026-43896 is a denial of service flaw in Jqlang Jq caused by unbounded recursion that crashes the process with a segfault. This article covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-43896 Overview

CVE-2026-43896 is a denial-of-service vulnerability in jq, the widely used command-line JSON processor maintained by jqlang. Versions 1.8.1 and earlier contain unbounded recursion in the jv_object_merge_recursive() function. A crafted jq program can trigger a stack overflow and crash the process with a segmentation fault. The function is reachable through the * operator when both operands are objects. The flaw is categorized under CWE-674: Uncontrolled Recursion.

Critical Impact

A local attacker who supplies a malicious jq program or recursive JSON input can crash any process or pipeline that invokes jq, disrupting automation, log processing, and data workflows.

Affected Products

  • jqlang jq version 1.8.1
  • jqlang jq all prior releases through 1.8.1
  • Downstream packages and container images that bundle vulnerable jq builds

Discovery Timeline

  • 2026-05-11 - CVE-2026-43896 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-43896

Vulnerability Analysis

The defect resides in jv_object_merge_recursive(), the routine jq uses to deep-merge two JSON objects. When both operands of the * operator are objects, jq descends into matching keys and recursively merges nested object values. The function imposes no limit on recursion depth, so each nested object level consumes additional native stack space.

An attacker constructs a JSON document or jq expression whose object nesting exceeds the available stack size. Evaluation drives jv_object_merge_recursive() into deep self-calls until the process exhausts its stack and receives SIGSEGV from the operating system. The fault halts the jq process and any shell pipeline or service depending on it.

The vulnerability requires local access and low privileges. It has no confidentiality or integrity impact, but produces high availability impact in automated workflows.

Root Cause

The root cause is missing recursion-depth enforcement in jv_object_merge_recursive(). The function relies on the runtime stack rather than an explicit work list or depth counter. Deeply nested object structures translate directly into deep native call chains.

Attack Vector

Exploitation requires the attacker to influence either the jq program text or the JSON input processed by a vulnerable jq invocation. Any service that runs jq against attacker-controlled JSON or against attacker-supplied filters using the * operator can be crashed on demand. See the jq GitHub Security Advisory GHSA-mg96-6h3q-g846 for the maintainer's technical write-up.

Detection Methods for CVE-2026-43896

Indicators of Compromise

  • Repeated jq process terminations with SIGSEGV recorded in dmesg, journalctl, or container runtime logs
  • Core dump files originating from the jq binary in pipelines that process untrusted JSON
  • Unexpected failures in CI/CD jobs, log shippers, or shell scripts that invoke jq with the * merge operator

Detection Strategies

  • Inventory installed jq versions across hosts and container images and flag any build at or below 1.8.1
  • Inspect scripts and data pipelines for use of the * operator applied to externally sourced JSON
  • Alert on repeated abnormal exits of jq processes across endpoints and build agents

Monitoring Recommendations

  • Forward process-exit and segmentation-fault telemetry from Linux and macOS hosts to a central data lake for correlation
  • Track invocations of jq against attacker-reachable inputs such as webhooks, log streams, and uploaded files
  • Review container image scan results for vulnerable jq packages on each rebuild

How to Mitigate CVE-2026-43896

Immediate Actions Required

  • Upgrade jq to a release later than 1.8.1 as published by the jqlang project
  • Rebuild and redeploy container images and software bundles that statically include jq
  • Audit automation that pipes untrusted JSON into jq and validate input size and nesting depth

Patch Information

Refer to the jq GitHub Security Advisory GHSA-mg96-6h3q-g846 for the fixed version and patch commits. Distribution maintainers are publishing backported packages; apply vendor updates from your operating system as they become available.

Workarounds

  • Avoid the * operator on JSON inputs that originate from untrusted sources until patched builds are deployed
  • Pre-validate JSON inputs and reject documents whose object nesting depth exceeds a safe threshold
  • Run jq under resource limits using ulimit -s or systemd LimitSTACK= to contain crashes to the calling process
bash
# Configuration example
# Constrain jq stack size and reject deeply nested JSON before processing
ulimit -s 8192
jq 'if (.. | objects | length) then . else empty end' input.json \
  && jq '.a * .b' input.json

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.