CVE-2026-43896 Overview
CVE-2026-43896 is a denial-of-service vulnerability in jq, the widely used command-line JSON processor maintained by jqlang. Versions 1.8.1 and earlier contain unbounded recursion in the jv_object_merge_recursive() function. A crafted jq program can trigger a stack overflow and crash the process with a segmentation fault. The function is reachable through the * operator when both operands are objects. The flaw is categorized under CWE-674: Uncontrolled Recursion.
Critical Impact
A local attacker who supplies a malicious jq program or recursive JSON input can crash any process or pipeline that invokes jq, disrupting automation, log processing, and data workflows.
Affected Products
- jqlang jq version 1.8.1
- jqlang jq all prior releases through 1.8.1
- Downstream packages and container images that bundle vulnerable jq builds
Discovery Timeline
- 2026-05-11 - CVE-2026-43896 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43896
Vulnerability Analysis
The defect resides in jv_object_merge_recursive(), the routine jq uses to deep-merge two JSON objects. When both operands of the * operator are objects, jq descends into matching keys and recursively merges nested object values. The function imposes no limit on recursion depth, so each nested object level consumes additional native stack space.
An attacker constructs a JSON document or jq expression whose object nesting exceeds the available stack size. Evaluation drives jv_object_merge_recursive() into deep self-calls until the process exhausts its stack and receives SIGSEGV from the operating system. The fault halts the jq process and any shell pipeline or service depending on it.
The vulnerability requires local access and low privileges. It has no confidentiality or integrity impact, but produces high availability impact in automated workflows.
Root Cause
The root cause is missing recursion-depth enforcement in jv_object_merge_recursive(). The function relies on the runtime stack rather than an explicit work list or depth counter. Deeply nested object structures translate directly into deep native call chains.
Attack Vector
Exploitation requires the attacker to influence either the jq program text or the JSON input processed by a vulnerable jq invocation. Any service that runs jq against attacker-controlled JSON or against attacker-supplied filters using the * operator can be crashed on demand. See the jq GitHub Security Advisory GHSA-mg96-6h3q-g846 for the maintainer's technical write-up.
Detection Methods for CVE-2026-43896
Indicators of Compromise
- Repeated jq process terminations with SIGSEGV recorded in dmesg, journalctl, or container runtime logs
- Core dump files originating from the jq binary in pipelines that process untrusted JSON
- Unexpected failures in CI/CD jobs, log shippers, or shell scripts that invoke jq with the * merge operator
Detection Strategies
- Inventory installed jq versions across hosts and container images and flag any build at or below 1.8.1
- Inspect scripts and data pipelines for use of the * operator applied to externally sourced JSON
- Alert on repeated abnormal exits of jq processes across endpoints and build agents
Monitoring Recommendations
- Forward process-exit and segmentation-fault telemetry from Linux and macOS hosts to a central data lake for correlation
- Track invocations of jq against attacker-reachable inputs such as webhooks, log streams, and uploaded files
- Review container image scan results for vulnerable jq packages on each rebuild
How to Mitigate CVE-2026-43896
Immediate Actions Required
- Upgrade jq to a release later than 1.8.1 as published by the jqlang project
- Rebuild and redeploy container images and software bundles that statically include jq
- Audit automation that pipes untrusted JSON into jq and validate input size and nesting depth
Patch Information
Refer to the jq GitHub Security Advisory GHSA-mg96-6h3q-g846 for the fixed version and patch commits. Distribution maintainers are publishing backported packages; apply vendor updates from your operating system as they become available.
Workarounds
- Avoid the * operator on JSON inputs that originate from untrusted sources until patched builds are deployed
- Pre-validate JSON inputs and reject documents whose object nesting depth exceeds a safe threshold
- Run jq under resource limits using ulimit -s or systemd LimitSTACK= to contain crashes to the calling process
# Configuration example
# Constrain jq stack size and reject deeply nested JSON before processing
ulimit -s 8192
jq 'if (.. | objects | length) then . else empty end' input.json \
&& jq '.a * .b' input.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
