CVE-2026-47770

NameCVE-2026-47770
Descriptionjq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4661-1, DLA-4662-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jq (PTS)bullseye1.6-2.1vulnerable
bullseye (security)1.6-2.1+deb11u3fixed
bookworm1.6-2.1+deb12u1vulnerable
bookworm (security)1.6-2.1+deb12u2fixed
trixie1.7.1-6+deb13u2vulnerable
forky1.8.1-8fixed
sid1.8.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jqsourcebullseye1.6-2.1+deb11u3DLA-4661-1
jqsourcebookworm1.6-2.1+deb12u2DLA-4662-1
jqsource(unstable)1.8.1-7

Notes

https://github.com/jqlang/jq/commit/7122866869960b55cea3646bc91334ef55787831
https://github.com/jqlang/jq/pull/3539

Search for package or bug name: Reporting problems