CVE-2026-40164: jq: Algorithmic complexity DoS via hardcoded MurmurHash3 seed
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Security readout for executives and security teams
Plain-English summary
jq can be forced to consume excessive CPU when it processes a specially crafted JSON object. The issue affects availability, not data theft or tampering. It matters most where jq handles attacker-supplied or partner-supplied JSON in automation, services, or data pipelines.
Executive priority
Treat as high priority for automation and service environments that parse untrusted JSON. It is an availability risk with low attack complexity, but the provided sources do not establish active exploitation. Patch during the next urgent maintenance window, sooner for internet-facing or shared processing paths.
Technical view
Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded public seed for JSON object hash tables. Precomputed key collisions could degrade hash lookups from O(1) to O(n), making expressions O(n²) and causing CPU exhaustion. CVSS is 7.5 high, availability impact only.
Likely exposure
Likely exposure is jq embedded in CI/CD jobs, web services, container images, scripts, and data processing paths that parse untrusted JSON. Red Hat advisories show downstream vendor handling exists, but exact package status must be checked per platform.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. Exploitation requires sending crafted JSON to a vulnerable jq processing path. The provided advisory describes a small practical payload size, but no weaponization details should be assumed beyond that.
Researcher notes
The key condition is attacker influence over JSON object keys processed by vulnerable jq. The issue is algorithmic complexity from predictable hash seeding, mapped to CWE-328, CWE-341, and CWE-407. Validate exposure by provenance and code-path analysis, not only by package presence.
Mitigation direction
Update jq to a build containing commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Apply relevant vendor packages or Red Hat errata where jq is OS-managed.
Prioritize systems where jq processes untrusted JSON inputs.
Follow vendor guidance if immediate patching is not available.
Apply CPU timeouts around jq-driven processing where operationally feasible.
Validation and detection
Inventory jq binaries in hosts, containers, CI runners, and build images.
Check package advisories for each operating system distribution in use.
Confirm installed jq includes the fixed upstream commit or vendor backport.
Trace workflows where external JSON is passed into jq.
Monitor affected workflows for CPU spikes, timeouts, or queue backlogs.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-328: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.