| Name | CVE-2026-40164 |
| Description | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1133921 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| jq (PTS) | bullseye | 1.6-2.1 | vulnerable |
| bullseye (security) | 1.6-2.1+deb11u1 | vulnerable | |
| bookworm | 1.6-2.1+deb12u1 | vulnerable | |
| trixie | 1.7.1-6+deb13u1 | vulnerable | |
| forky, sid | 1.8.1-5 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| jq | source | (unstable) | 1.8.1-5 | 1133921 |
[trixie] - jq <no-dsa> (Minor issue)
[bookworm] - jq <no-dsa> (Minor issue)
[bullseye] - jq <postponed> (Minor issue)
https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29
Fixed by: https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784