Vulnerability Database>CVE-2026-40164

CVE 2026-40164

Publish date: April 20, 2026

Severity

High

CVSS score

7.5

Package

Affected versions

>= 1.6-2.1-e1, < 1.7.1-6+deb13u1+e2

jq is a command-line JSON processor. Prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq utilized MurmurHash3 with a fixed, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By providing a specially crafted JSON object (approximately 100 KB) where all keys hashed to the same bucket, hash table lookups could degrade from O(1) to O(n), transforming any jq expression into an O(n²) operation, leading to significant CPU exhaustion. This vulnerability impacted common jq use cases, including CI/CD pipelines, web services, and data processing scripts, and was more feasible to exploit than existing heap overflow issues since it required only a minimal payload. This issue has been resolved in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

‍

Learn about Echo's vulnerability management

Learn more

NVD Record:

https://nvd.nist.gov/vuln/detail/CVE-2026-40164

CVE 2026-40164

NVD Record:

References:

Related CVEs: