{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40164/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40164"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["jq","denial-of-service","hash-collision","CVE-2026-40164","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40164 identifies a denial-of-service (DoS) vulnerability affecting the \u003ccode\u003ejq\u003c/code\u003e command-line JSON processor. Prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, \u003ccode\u003ejq\u003c/code\u003e employed MurmurHash3 with a fixed, publicly known seed (0x432A9843) for all JSON object hash table operations. This weakness allowed a malicious actor to precompute key collisions offline. An attacker could then supply a specially crafted JSON object, roughly 100KB in size, where all keys hash to the same bucket. This forces hash table lookups to degrade from O(1) to O(n) complexity, effectively turning any \u003ccode\u003ejq\u003c/code\u003e expression into an O(n²) operation, resulting in significant CPU exhaustion. The vulnerability impacts common \u003ccode\u003ejq\u003c/code\u003e use cases, including CI/CD pipelines, web services, and data processing scripts. The vulnerability has been addressed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker analyzes the \u003ccode\u003ejq\u003c/code\u003e source code and identifies the use of MurmurHash3 with the hardcoded seed 0x432A9843.\u003c/li\u003e\n\u003cli\u003eThe attacker develops a script to generate JSON keys that will collide with each other when hashed using MurmurHash3 and the specific seed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a JSON object, approximately 100KB in size, containing numerous colliding keys.\u003c/li\u003e\n\u003cli\u003eThe attacker submits this malicious JSON object to a system running \u003ccode\u003ejq\u003c/code\u003e, potentially via an API endpoint or as input to a data processing script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejq\u003c/code\u003e process parses the JSON object and attempts to perform hash table lookups. Due to the collisions, these lookups become extremely slow, consuming excessive CPU resources.\u003c/li\u003e\n\u003cli\u003eThe CPU utilization on the target system spikes, potentially impacting the performance of other applications.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejq\u003c/code\u003e process may become unresponsive or crash due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe system experiences a denial-of-service condition, preventing legitimate users or processes from accessing \u003ccode\u003ejq\u003c/code\u003e functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40164 can lead to denial-of-service conditions on systems utilizing the \u003ccode\u003ejq\u003c/code\u003e JSON processor. The vulnerability impacts environments where \u003ccode\u003ejq\u003c/code\u003e is used, including CI/CD pipelines, web services, and data processing scripts. If successfully exploited, critical processes relying on \u003ccode\u003ejq\u003c/code\u003e may become unavailable, leading to disruptions in automated workflows, web application outages, and data processing delays. The relatively small size of the malicious JSON payload (approximately 100KB) makes this vulnerability practical and easily exploitable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ejq\u003c/code\u003e version containing commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 or later to patch the vulnerability (reference: CVE-2026-40164).\u003c/li\u003e\n\u003cli\u003eMonitor CPU utilization on systems running \u003ccode\u003ejq\u003c/code\u003e for unusually high activity, especially when processing JSON data, to detect potential exploitation attempts (reference: Attack Chain - Step 6).\u003c/li\u003e\n\u003cli\u003eImplement resource limits and rate limiting on services that accept JSON input to mitigate the impact of denial-of-service attacks (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T00:16:07Z","date_published":"2026-04-14T00:16:07Z","id":"/briefs/2026-04-jq-hash-dos/","summary":"A denial-of-service vulnerability exists in jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 due to the use of a hardcoded seed in MurmurHash3, enabling attackers to craft JSON objects that trigger hash collisions and cause excessive CPU consumption.","title":"jq JSON Processor Hash Table Collision Denial-of-Service Vulnerability (CVE-2026-40164)","url":"https://feed.craftedsignal.io/briefs/2026-04-jq-hash-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-40164","version":"https://jsonfeed.org/version/1.1"}