CVE-2026-40164: CWE-328: Use of Weak Hash in jqlang jq
jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 used MurmurHash3 with a hardcoded, publicly known seed for JSON object hashing. This allowed attackers to craft JSON objects that cause all keys to collide in the hash table, degrading lookup performance from O(1) to O(n) and causing jq expressions to run in O(n²) time. This results in significant CPU exhaustion, impacting common jq use cases such as CI/CD pipelines and data processing scripts. The issue has been patched in the specified commit.
AI Analysis
Technical Summary
The vulnerability in jq involves the use of a weak hash function configuration: MurmurHash3 with a fixed, publicly visible seed (0x432A9843) for hashing JSON object keys. Attackers can precompute key collisions offline and supply a crafted JSON object (~100 KB) where all keys hash to the same bucket. This causes hash table lookups to degrade from constant time to linear time, turning jq expression evaluation into a quadratic time operation, leading to high CPU usage and potential denial of service. The vulnerability affects jq versions before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 and has been fixed in that commit.
Potential Impact
Exploitation of this vulnerability causes significant CPU exhaustion due to degraded hash table performance, potentially leading to denial of service in environments using vulnerable jq versions. This affects workflows such as CI/CD pipelines, web services, and data processing scripts that rely on jq for JSON processing. There is no impact on confidentiality or integrity, only availability due to resource exhaustion. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched in jq as of commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. Users should upgrade to this commit or later versions to remediate the issue. Since jq is not a cloud service, remediation requires updating the software in affected environments. Patch status is confirmed by the vendor commit; no additional temporary fixes are indicated.
CVE-2026-40164: CWE-328: Use of Weak Hash in jqlang jq
Description
jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 used MurmurHash3 with a hardcoded, publicly known seed for JSON object hashing. This allowed attackers to craft JSON objects that cause all keys to collide in the hash table, degrading lookup performance from O(1) to O(n) and causing jq expressions to run in O(n²) time. This results in significant CPU exhaustion, impacting common jq use cases such as CI/CD pipelines and data processing scripts. The issue has been patched in the specified commit.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in jq involves the use of a weak hash function configuration: MurmurHash3 with a fixed, publicly visible seed (0x432A9843) for hashing JSON object keys. Attackers can precompute key collisions offline and supply a crafted JSON object (~100 KB) where all keys hash to the same bucket. This causes hash table lookups to degrade from constant time to linear time, turning jq expression evaluation into a quadratic time operation, leading to high CPU usage and potential denial of service. The vulnerability affects jq versions before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 and has been fixed in that commit.
Potential Impact
Exploitation of this vulnerability causes significant CPU exhaustion due to degraded hash table performance, potentially leading to denial of service in environments using vulnerable jq versions. This affects workflows such as CI/CD pipelines, web services, and data processing scripts that rely on jq for JSON processing. There is no impact on confidentiality or integrity, only availability due to resource exhaustion. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability has been patched in jq as of commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. Users should upgrade to this commit or later versions to remediate the issue. Since jq is not a cloud service, remediation requires updating the software in affected environments. Patch status is confirmed by the vendor commit; no additional temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T19:31:56.014Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd83f182d89c981f8ff25a
Added to database: 4/14/2026, 12:01:53 AM
Last enriched: 4/14/2026, 12:16:52 AM
Last updated: 4/14/2026, 8:06:30 AM
Views: 14
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.