CVE-2026-40612— jq: Stack overflow via unbounded recursion in jv_contains

AI Predicted 7.5 Difficulty: Easy EPSS 0.01% · P2 Updated May 15, 2026

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

Vendor	Product	Version Range	Status
jqlang	jq	`<= 1.8.1`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40612

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

jq: Stack overflow via unbounded recursion in jv_contains

Source: NVD (National Vulnerability Database)

Vulnerability Description

jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

未经控制的递归

Source: NVD (National Vulnerability Database)

Vulnerability Title

jq 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

jq是jqlang开源的一个轻量级且灵活的命令行 JSON 处理器。 jq 1.8.1及之前版本存在安全漏洞，该漏洞源于jv_contains函数递归嵌套数组/对象时无深度限制，可能导致C栈耗尽。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
jqlang	jq	<= 1.8.1	-

II. Public POCs for CVE-2026-40612

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-40612

请登录查看更多情报信息。

Same Patch Batch · jqlang · 2026-05-11 · 7 CVEs total

CVE-2026-43896	6.2 MEDIUM	jq: Stack Overflow in Recursive Object Merge
CVE-2026-43894	6.2 MEDIUM	jq: Wild stack write via signed-integer overflow in decNumber D2U() macro
CVE-2026-41256	5.5 MEDIUM	jq: Embedded NUL truncates top-level jq programs loaded with -f
CVE-2026-43895	4.4 MEDIUM	jq: Embedded NUL in jq import paths causes local redaction-policy bypass and preserves sen
CVE-2026-41257		jq: Signed-int overflow in `stack_reallocate` (jq VM stack)
CVE-2026-44777		jq: stack overflow in module loading on mutual `include`

IV. Related Vulnerabilities

Same product: jq

Same vendor: jqlang

Same weakness: CWE-674

V. Comments for CVE-2026-40612

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-40612— jq: Stack overflow via unbounded recursion in jv_contains

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-40612

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-40612

III. Intelligence Information for CVE-2026-40612

Same Patch Batch · jqlang · 2026-05-11 · 7 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-40612

Leave a comment