jq Hash Collision Vulnerability: CPU Exhaustion via Crafted JSON

The National Vulnerability Database (NVD) recently detailed CVE-2026-40164, a high-severity vulnerability (CVSS 7.5) affecting jq, the popular command-line JSON processor. This isn’t your typical run-of-the-mill bug; it’s a denial-of-service (DoS) waiting to happen. Prior to a critical commit (0c7d133c3c7e37c00b6d46b658a02244fdd3c784), jq utilized MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843). This seemingly innocuous detail opened the door for a classic hash collision attack.

Attackers could precompute key collisions offline, crafting a relatively small JSON object—around 100 KB—where all keys hash to the same bucket. When jq processes such a payload, hash table lookups degrade catastrophically from an efficient O(1) to a sluggish O(n). This effectively turns any jq expression into an O(n²) operation, leading to significant CPU exhaustion. NVD points out that this is a far more practical exploit than previous heap overflow issues, requiring only a modest payload. Given jq’s prevalence in CI/CD pipelines, web services, and data processing scripts, the potential for disruption is substantial. The fix is in, so get patching if you’re running an older version.