CVE-2026-40164

EUVD-2026-22164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
Debian logo
Debian Releases
Debian Product
Codename
jq
bookworm
vulnerable
bookworm (security)
1.6-2.1+deb12u2
fixed
bullseye
vulnerable
bullseye (security)
1.6-2.1+deb11u3
fixed
forky
1.8.2-1
fixed
sid
1.8.2-1
fixed
trixie
1.7.1-6+deb13u2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
jq
RHEL 8
0:1.6-12.el8_10
fixed
RHEL 9
0:1.6-19.el9_8.2
fixed
jq-devel
RHEL 8
0:1.6-12.el8_10
fixed
RHEL 9
0:1.6-19.el9_8.2
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
jq
Amazon Linux 2
0:1.6-17.amzn2.0.1
fixed
Amazon Linux 2023
0:1.8.1-59.amzn2023
fixed
jq-debuginfo
Amazon Linux 2
0:1.6-17.amzn2.0.1
fixed
Amazon Linux 2023
0:1.8.1-59.amzn2023
fixed
jq-debugsource
Amazon Linux 2023
0:1.8.1-59.amzn2023
fixed
jq-devel
Amazon Linux 2
0:1.6-17.amzn2.0.1
fixed
Amazon Linux 2023
0:1.8.1-59.amzn2023
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
jq
Azure Linux 3.0
0:1.7.1-5.azl3
fixed
References