The vulnerability in jq (CVE-2026-33947) arises from unbounded recursion in the jv_setpath(), jv_getpath(), and delpaths_sorted() functions within src/jv_aux.c. These functions use recursion depth controlled by the length of a path array supplied by the caller, but no explicit limit is enforced on this depth. Although jq enforces a MAX_PARSING_DEPTH of 10,000 during JSON parsing, this limit does not apply to runtime path operations, allowing attackers to supply very large path arrays programmatically. By providing a JSON document containing a flat array of approximately 65,000 integers (~200 KB), an attacker can cause jq to exhaust the C call stack, resulting in a segmentation fault (SIGSEGV) and process crash. This vulnerability leads to denial of service in any application or service that uses jq's setpath, getpath, or delpaths builtins on untrusted JSON input. The issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.

Successful exploitation causes an unrecoverable crash of the jq process due to stack exhaustion, resulting in denial of service. There is no impact on confidentiality or integrity. The vulnerability affects any application or service that processes untrusted JSON input using the affected jq builtins. No known exploits in the wild have been reported.

A fix for this vulnerability is available in jq as of commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f. Users should upgrade jq to a version including this commit or later to remediate the issue. Patch status is not explicitly stated in the advisory, so confirm the presence of this commit in your jq version. Until patched, avoid processing untrusted JSON input with jq functions jv_setpath(), jv_getpath(), and delpaths_sorted() or apply input validation to limit path array sizes.