CVE-2026-40164
CVE-2026-40164 is a high-severity vulnerability with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-328.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-22164
- Weakness: CWE-328
- Published:
- Last modified:
Description
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Frequently asked questions
- What is CVE-2026-40164?
- jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
- How severe is CVE-2026-40164?
- CVE-2026-40164 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-40164 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-40164?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-40164 have an EU (EUVD) identifier?
- Yes. CVE-2026-40164 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-22164.
- When was CVE-2026-40164 published?
- CVE-2026-40164 was published on 2026-04-14 and last updated on 2026-07-02.
References
- https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784
- https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29
- https://access.redhat.com/errata/RHSA-2026:16252
- https://access.redhat.com/errata/RHSA-2026:16692
- https://access.redhat.com/errata/RHSA-2026:16693
- https://access.redhat.com/errata/RHSA-2026:18040
- https://access.redhat.com/errata/RHSA-2026:18042
- https://access.redhat.com/errata/RHSA-2026:18043
- https://access.redhat.com/errata/RHSA-2026:18044
- https://access.redhat.com/errata/RHSA-2026:18045
- https://access.redhat.com/errata/RHSA-2026:18046
- https://access.redhat.com/errata/RHSA-2026:18047
- https://access.redhat.com/errata/RHSA-2026:18048
- https://access.redhat.com/errata/RHSA-2026:19151
- https://access.redhat.com/errata/RHSA-2026:19365
- https://access.redhat.com/errata/RHSA-2026:23233
- https://access.redhat.com/errata/RHSA-2026:23245
- https://access.redhat.com/errata/RHSA-2026:25044
- https://access.redhat.com/errata/RHSA-2026:25096
- https://access.redhat.com/errata/RHSA-2026:25181
- https://access.redhat.com/errata/RHSA-2026:26528
- https://access.redhat.com/errata/RHSA-2026:26542
- https://access.redhat.com/errata/RHSA-2026:28887
- https://access.redhat.com/errata/RHSA-2026:30078
- https://access.redhat.com/errata/RHSA-2026:30087
- https://access.redhat.com/errata/RHSA-2026:30088
- https://access.redhat.com/errata/RHSA-2026:30089
- https://access.redhat.com/errata/RHSA-2026:8579
- https://access.redhat.com/security/cve/CVE-2026-40164
- https://bugzilla.redhat.com/show_bug.cgi?id=2458084
Other CWE-328 vulnerabilities
- CVE-2026-36182 — Critical (CVSS 9.8): GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing…
- CVE-2020-37168 — Critical (CVSS 9.8): Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force…
- CVE-2025-41652 — Critical (CVSS 9.8): The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated…
- CVE-2025-27595 — Critical (CVSS 9.8): The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily…
- CVE-2022-45141 — Critical (CVSS 9.8): Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and…
- CVE-2023-0452 — Critical (CVSS 9.8): Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A…