jq DoS via Hash Collision Exploit
CVE-2026-40164 Published on April 13, 2026
jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Vulnerability Analysis
CVE-2026-40164 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Types
Reversible One-Way Hash
The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques. This weakness is especially dangerous when the hash is used in security algorithms that require the one-way property to hold. For example, if an authentication system takes an incoming password and generates a hash, then compares the hash to another hash that it has stored in its authentication database, then the ability to create a collision could allow an attacker to provide an alternate password that produces the same target hash, bypassing authentication.
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Predictable from Observable State
A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.
Products Associated with CVE-2026-40164
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-40164 are published in these products:
Affected Versions
jqlang jq:- Version < 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 is affected.
- Version 0:1.7.1-11.el10_1.0.2 and below * is unaffected.
- Version 0:1.7.1-11.el10_2.2 and below * is unaffected.
- Version 0:1.7.1-8.el10_0.3 and below * is unaffected.
- Version 0:1.6-12.el8_10 and below * is unaffected.
- Version 0:1.5-12.el8_4.5 and below * is unaffected.
- Version 0:1.5-12.el8_4.5 and below * is unaffected.
- Version 0:1.6-3.el8_6.2 and below * is unaffected.
- Version 0:1.6-3.el8_6.2 and below * is unaffected.
- Version 0:1.6-3.el8_6.2 and below * is unaffected.
- Version 0:1.6-6.el8_8.4 and below * is unaffected.
- Version 0:1.6-6.el8_8.4 and below * is unaffected.
- Version 0:1.6-19.el9_7.0.2 and below * is unaffected.
- Version 0:1.6-19.el9_8.2 and below * is unaffected.
- Version 0:1.6-12.el9_0.3 and below * is unaffected.
- Version 0:1.6-15.el9_2.3 and below * is unaffected.
- Version 0:1.6-16.el9_4.2 and below * is unaffected.
- Version 0:1.6-17.el9_6.4 and below * is unaffected.
- Version 412.86.202606140301-0 and below * is unaffected.
- Version 413.92.202606160406-0 and below * is unaffected.
- Version 414.92.202606231112-0 and below * is unaffected.
- Version 415.92.202606030318-0 and below * is unaffected.
- Version 416.94.202606051757-0 and below * is unaffected.
- Version 417.94.202606250942-0 and below * is unaffected.
- Version 418.94.202606051320-0 and below * is unaffected.
- Version 4.19.9.6.202606031700-0 and below * is unaffected.
- Version 1780681984 and below * is unaffected.
- Version 1782352950 and below * is unaffected.
- Version 1782352919 and below * is unaffected.
- Version 1782353093 and below * is unaffected.
- Version 1782352847 and below * is unaffected.
- Version 1.8.1-3.hum1 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.