UBUNTU-CVE-2026-33947

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-33947

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33947

Upstream

CVE-2026-33947

Downstream

USN-8202-1

USN-8202-2

Related

Published

2026-04-13T22:16:00Z

Modified

2026-05-20T16:25:31.561566102Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

jq is a command-line JSON processor. In versions 1.8.1 and below, functions jvsetpath(), jvgetpath(), and delpathssorted() in jq's src/jvaux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAXPARSINGDEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.

References

Affected packages

Ubuntu:22.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6-2.1ubuntu3.2

Affected versions

1.*

1.6-2.1ubuntu2

1.6-2.1ubuntu3

1.6-2.1ubuntu3.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.6-2.1ubuntu3.2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.6-2.1ubuntu3.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:24.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.1-3ubuntu0.24.04.2

Affected versions

1.*

1.6-3

1.7-1

1.7.1-2

1.7.1-3

1.7.1-3build1

1.7.1-3ubuntu0.24.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.7.1-3ubuntu0.24.04.2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.7.1-3ubuntu0.24.04.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:25.10

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1-3ubuntu1.1

Affected versions

1.*

1.7.1-3ubuntu1

1.7.1-6ubuntu1

1.8.1-3ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.8.1-3ubuntu1.1"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.8.1-3ubuntu1.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:26.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1-4ubuntu2

Affected versions

1.*

1.8.1-3ubuntu1

1.8.1-4ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.8.1-4ubuntu2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.8.1-4ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:Pro:14.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3-1.1ubuntu1.1+esm4

Affected versions

1.*

1.2-8

1.3-1

1.3-1.1ubuntu1

1.3-1.1ubuntu1.1

1.3-1.1ubuntu1.1+esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.3-1.1ubuntu1.1+esm4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:Pro:16.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5+dfsg-1ubuntu0.1+esm4

Affected versions

1.*

1.4-2.1

1.5+dfsg-1

1.5+dfsg-1ubuntu0.1

1.5+dfsg-1ubuntu0.1+esm2

1.5+dfsg-1ubuntu0.1+esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:Pro:18.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5+dfsg-2ubuntu0.1~esm2

Affected versions

1.*

1.5+dfsg-2

1.5+dfsg-2ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"

Ubuntu:Pro:20.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6-1ubuntu0.20.04.1+esm2

Affected versions

1.*

1.5+dfsg-2build1

1.6-1

1.6-1ubuntu0.20.04.1

1.6-1ubuntu0.20.04.1+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.6-1ubuntu0.20.04.1+esm2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.6-1ubuntu0.20.04.1+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33947.json"