Denial of Service via deeply nested array comparison
Summary
jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2. A flaw was found in jq, a command-line JSON processor. This vulnerability allows a local user or an attacker providing malicious input to cause a denial of service (DoS) by comparing two sufficiently deeply nested arrays using the '==' operator. This action exhausts the C stack due to uncontrolled recursion, leading to a crash of the jq process. Red Hat severity: Moderate — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-770. Fixed by RHSA-2026:29986 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- jq-main-1.8.2-0.1.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- jq-main-1.8.2-0.1.hum1
- RHSA-2026:29986
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.