CVE-2026-43896

jq: Stack Overflow in Recursive Object Merge

Published: 5/11/2026 Last updated: 5/12/2026 Reserved: 5/4/2026

jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	6.2	Medium	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Opam packages affected (2)

conf-jq travis-opam

Products affected (2)

Product	Vendor	Version
jq	jqlang	(Server Core installation)
jq	jqlang	n/a

References (4)

https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846
https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846