CVE-2026-47770— jq: stack overflow in deep structural equality
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47770
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
jq: stack overflow in deep structural equality
Source: NVD (National Vulnerability Database)
Vulnerability Description
jq is a command-line JSON processor. Prior to 1.8.2, comparing two sufficiently deeply nested arrays with the == operator exhausts the C stack on jq's ordinary command-line surface, resulting in denial of service via stack exhaustion (uncontrolled recursion). The crash occurs in jq's recursive structural comparison code, with the recursion repeating through jvp_array_equal() and jv_equal() in src/jv.c when comparing deeply nested arrays; a nearby sort comparator path through jv_cmp() in src/jv_aux.c overflows the stack at a larger nesting depth from the same missing recursion guard. Anyone running jq comparisons on attacker-controlled deeply nested JSON values, or embedding jq in a context where untrusted data can reach the == comparison path, is affected. This vulnerability is fixed in 1.8.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的递归
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47770
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47770
请登录查看更多情报信息。
Other References for CVE-2026-47770 (1)
Same Patch Batch · jqlang · 2026-06-25 · 3 CVEs total
| CVE-2026-49839 | 7.1 HIGH | jq --rawfile invalid-state reuse after String too long causes heap-buffer-overflow |
| CVE-2026-54679 | jq: potential integer overflow in jvp_string_append |
IV. Related Vulnerabilities
Same product: jq
- CVE-2026-49839
jq --rawfile invalid-state reuse after String too long cause - CVE-2026-54679
jq: potential integer overflow in jvp_string_append - CVE-2026-43896
jq: Stack Overflow in Recursive Object Merge - CVE-2026-43895
jq: Embedded NUL in jq import paths causes local redaction-p - CVE-2026-44777
jq: stack overflow in module loading on mutual `include`
Same vendor: jqlang
- CVE-2026-49839
jq --rawfile invalid-state reuse after String too long cause - CVE-2026-54679
jq: potential integer overflow in jvp_string_append - CVE-2026-43896
jq: Stack Overflow in Recursive Object Merge - CVE-2026-43895
jq: Embedded NUL in jq import paths causes local redaction-p - CVE-2026-44777
jq: stack overflow in module loading on mutual `include`
Same weakness: CWE-674
- CVE-2026-54297
Faraday: Uncontrolled recursion in NestedParamsEncoder allow - CVE-2025-71382
MuPDF < 1.27.0-rc1 Stack Exhaustion DoS via EPUB CSS Renderi - CVE-2026-48506
MessagePack-CSharp: MessagePackReader.Skip can recurse witho - CVE-2026-48512
MessagePack-CSharp: JSON conversion APIs can recurse without - CVE-2026-48513
MessagePack-CSharp: DynamicUnionResolver generated deseriali
V. Comments for CVE-2026-47770
No comments yet