CVE-2026-40612

jq: Stack overflow via unbounded recursion in jv_contains

Published: 5/11/2026 Last updated: 5/11/2026 Reserved: 4/14/2026

jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	5.4	Medium	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Opam packages affected (2)

conf-jq travis-opam

Products affected (1)

Product	Vendor	Version
jq	jqlang	n/a

References (2)

https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j
https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j