Vulnerability Description
jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jqlang | Jq | < 1.8.2 |
Related Weaknesses (CWE)
References
- https://github.com/jqlang/jq/security/advisories/GHSA-3pgx-frr7-3jxpExploitMitigationVendor Advisory
FAQ
What is CVE-2026-47770?
CVE-2026-47770 is a vulnerability with a CVSS score of 5.5 (MEDIUM). jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denia...
How severe is CVE-2026-47770?
CVE-2026-47770 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-47770?
Check the references section above for vendor advisories and patch information. Affected products include: Jqlang Jq.