{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40164", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.014Z", "datePublished": "2026-04-13T23:40:12.693Z", "dateUpdated": "2026-04-14T19:27:38.916Z"}, "containers": {"cna": {"title": "jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed", "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "lang": "en", "description": "CWE-328: Use of Weak Hash", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29"}, {"name": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784", "tags": ["x_refsource_MISC"], "url": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784"}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"version": "< 0c7d133c3c7e37c00b6d46b658a02244fdd3c784", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T23:40:12.693Z"}, "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n\u00b2) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784."}], "source": {"advisory": "GHSA-wwj8-gxm6-jc29", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40164", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:08:48.249009Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:27:38.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40164", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:08:48.249009Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:23:14.106Z"}}], "cna": {"title": "jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed", "source": {"advisory": "GHSA-wwj8-gxm6-jc29", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "jqlang", "product": "jq", "versions": [{"status": "affected", "version": "< 0c7d133c3c7e37c00b6d46b658a02244fdd3c784"}]}], "references": [{"url": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29", "name": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784", "name": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n\u00b2) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-328", "description": "CWE-328: Use of Weak Hash"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "CWE-407: Inefficient Algorithmic Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T23:40:12.693Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40164", "state": "PUBLISHED", "dateUpdated": "2026-04-14T19:27:38.916Z", "dateReserved": "2026-04-09T19:31:56.014Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T23:40:12.693Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n\u00b2) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784."}], "id": "CVE-2026-40164", "lastModified": "2026-04-14T00:16:07.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T00:16:07.360", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784"}, {"source": "security-advisories@github.com", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-328"}, {"lang": "en", "value": "CWE-407"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "jq: jq: Denial of Service via crafted JSON object causing hash collisions", "id": "2458084", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458084"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-341", "details": ["A flaw was found in jq, a command-line JSON processor. A remote attacker could exploit this vulnerability by providing a specially crafted JSON object. This object leverages a weakness in jq's hashing algorithm, which uses a hardcoded, publicly known seed. By crafting the JSON object to cause hash collisions, an attacker can degrade the performance of JSON object hash table operations, leading to significant CPU exhaustion and a denial of service (DoS) for systems processing the malicious JSON data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-40164", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "jq", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-13T23:40:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40164\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40164\nhttps://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784\nhttps://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0c7d133c3c7e37c00b6d46b658a02244fdd3c784)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "jq", "source": "cna", "vendor": "jqlang"}, "product": "jq", "vendor": "jqlang"}], "analysis": {"en": {"generated_at": "2026-04-15T01:54:01.007561+00:00", "value": {"mitigation_remediation": ["Apply patch commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 or upgrade to a version of jq that removes the hard\u2011coded seed", "If a patch cannot be applied immediately, restrict jq execution time and CPU usage with OS controls (e.g., cgroups or rate limiting)", "Audit system and CI/CD configuration to confirm use of patched jq binaries and replace any older installations"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via excessive CPU usage caused by hash collision exploitation"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to jq releases from the jqlang project that precede commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. Systems that use jq in CI/CD pipelines, web services, or data\u2011processing scripts without this patch are affected.", "description_and_impact": "jq is a command\u2011line JSON processor that, in older releases, used a hard\u2011coded MurmurHash3 seed for all hash table operations. An attacker can craft a JSON object that forces all keys to hash to the same bucket, turning each hash lookup from O(1) to O(n) and any jq expression into an O(n\u00b2) operation. The resulting CPU exhaustion constitutes a denial of service and represents a resource exhaustion weakness (CWE\u2011407), the use of a hard\u2011coded cryptographic component (CWE\u2011328), and a weak key seed (CWE\u2011341).", "risk_and_exploitability": "The CVSS score of 7.5 signals high severity, and the EPSS score is very low (0.00036), yet the exploit is trivial to deploy by supplying a 100\u202fKB crafted JSON file. There is no CISA KEV listing yet. Once jq processes the malicious input, the DoS impact is immediate and can affect any machine that runs jq, making the risk substantial for environments that have not applied the patch."}}}}, "created": "2026-04-14T16:16:57.829413+00:00", "updated": "2026-04-15T15:45:07.528416+00:00", "vendors": ["jqlang", "jqlang$PRODUCT$jq"]}