jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
CVE-2026-40164
This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.0%, top 93% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 28.8%
- KEV
- Not listed
Published
April 14, 2026
Last Modified
July 15, 2026
Advisory Details (2)
Auto-updated Jun 11, 2026Algorithmic complexity DoS via hardcoded MurmurHash3 seed · Advisory · jqlang/jq · GitHub
https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29commit 0c7d133c3c7e (jqlang/jq)
Fix landed in jqlang/jq commit 0c7d133c3c7e — awaiting tagged release
https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784Vendor Advisories for CVE-2026-40164(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2026:34098Red Hat Product SecurityCritical
Red Hat Security Advisory: OpenShift Container Platform 4.17.55 bug fix and security update
- RHSA-2026:28887Red Hat Product SecurityCritical
Red Hat Security Advisory: OpenShift Container Platform 4.14.68 bug fix and security update
- RHSA-2026:30089Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat AI Inference Server 3.3.5 (CUDA)
- RHSA-2026:30088Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat AI Inference Server 3.3.5 (ROCm)
- RHSA-2026:30087Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat AI Inference Server 3.3.5 (Spyre)
- RHSA-2026:30078Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat AI Inference Server Model Optimization Tools 3.3.5 (CUDA)
- RHSA-2026:26542Red Hat Product SecurityCritical
Red Hat Security Advisory: OpenShift Container Platform 4.13.68 bug fix and security update
- RHSA-2026:26528Red Hat Product SecurityCritical
Red Hat Security Advisory: OpenShift Container Platform 4.12.92 bug fix and security update
- +12 more
Patch Availability(20)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | libjq1 (1.6-1ubuntu0.20.04.1+esm3) @ focal | 2026-06-14 | ubuntu |
| ubuntu | libjq1 (1.8.1-4ubuntu2) @ resolute | 2026-06-14 | ubuntu |
| ubuntu | libjq1 (1.7.1-3ubuntu0.24.04.2) @ noble | 2026-06-14 | ubuntu |
| redhat | rhcos-415.92.202606030318-0 | 2026-06-11 | redhat |
| redhat | rhaiis/model-opt-cuda-rhel9:1780681984 | 2026-06-10 | redhat |
| redhat | rhcos-4.19.9.6.202606031700-0 | 2026-06-10 | redhat |
| redhat | jq-0:1.7.1-11.el10_2.2 | 2026-05-19 | redhat |
| redhat | jq-0:1.6-19.el9_8.2 | 2026-05-19 | redhat |
| redhat | jq-0:1.6-17.el9_6.4 | 2026-05-18 | redhat |
| redhat | jq-0:1.6-15.el9_2.3 | 2026-05-18 | redhat |
| redhat | jq-0:1.7.1-8.el10_0.3 | 2026-05-18 | redhat |
| redhat | jq-0:1.6-12.el9_0.3 | 2026-05-18 | redhat |
| redhat | jq-0:1.6-3.el8_6.2 | 2026-05-18 | redhat |
| redhat | jq-0:1.6-16.el9_4.2 | 2026-05-18 | redhat |
| redhat | jq-0:1.5-12.el8_4.5 | 2026-05-18 | redhat |
| redhat | jq-0:1.6-6.el8_8.4 | 2026-05-18 | redhat |
| redhat | jq-0:1.6-19.el9_7.0.2 | 2026-05-13 | redhat |
| redhat | jq-0:1.7.1-11.el10_1.0.2 | 2026-05-13 | redhat |
| redhat | jq-0:1.6-12.el8_10 | 2026-05-12 | redhat |
| redhat | jq-main-1.8.1-3.hum1 | 2026-04-16 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(11)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2026:16252IMPORTANT2026-04-13
RHSA-2026:16252 — Important
- Red HatRHSA-2026:16692IMPORTANT2026-04-13
RHSA-2026:16692 — Important
- Red HatRHSA-2026:16693IMPORTANT2026-04-13
RHSA-2026:16693 — Important
- Red HatRHSA-2026:18044IMPORTANT2026-04-13
RHSA-2026:18044 — Important
- Red HatRHSA-2026:18045IMPORTANT2026-04-13
RHSA-2026:18045 — Important
- Red HatRHSA-2026:18046IMPORTANT2026-04-13
RHSA-2026:18046 — Important
- Red HatRHSA-2026:18048IMPORTANT2026-04-13
RHSA-2026:18048 — Important
- Red HatRHSA-2026:8579IMPORTANT2026-04-13
RHSA-2026:8579 — Important
- UbuntuUSN-8202-1MEDIUM
jq vulnerabilities
- UbuntuUSN-8202-2MEDIUM
jq vulnerabilities
- UbuntuUSN-8202-3MEDIUM
jq regression
Data Freshness Timeline
(refreshed 9× in last 7d / 36× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-16 17:03 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 02:00 UTCEPSS rescore
- 2026-07-13 22:30 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-13 06:13 UTCEPSS rescore
- 2026-07-12 05:46 UTCEPSS rescore
- 2026-07-11 08:27 UTCEPSS rescore
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-08 15:15 UTCEPSS rescore
- 2026-07-07 13:46 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 02:30 UTCEPSS rescore
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-01 15:06 UTCEPSS rescore
- 2026-06-30 23:22 UTCEPSS rescore
- 2026-06-29 14:06 UTCEPSS rescore
- 2026-06-28 14:07 UTCEPSS rescore
- 2026-06-28 04:56 UTCEPSS rescore
- 2026-06-27 03:08 UTCEPSS rescore
- 2026-06-25 13:49 UTCEPSS rescore
Show 72 moreShow fewer
- 2026-06-25 13:49 UTCEPSS rescore
- 2026-06-24 14:05 UTCEPSS rescore
- 2026-06-23 21:33 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-22 14:25 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 14:56 UTCEPSS rescore
- 2026-06-21 01:59 UTCEPSS rescore
- 2026-06-19 19:25 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-18 17:52 UTCEPSS rescore
- 2026-06-17 17:53 UTCEPSS rescore
- 2026-06-16 17:52 UTCEPSS rescore
- 2026-06-15 17:49 UTCEPSS rescore
- 2026-06-14 21:37 UTCVendor advisory
- 2026-06-13 23:00 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 23:12 UTCEPSS rescore
- 2026-06-12 06:26 UTCVendor advisory
- 2026-06-11 19:33 UTCVendor advisory
- 2026-06-11 14:00 UTCEPSS rescore
- 2026-06-10 22:29 UTCVendor advisory
- 2026-06-10 22:18 UTCEPSS rescore
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 13:22 UTCEPSS rescore
- 2026-06-10 11:36 UTCVendor advisory
- 2026-06-10 00:43 UTCVendor advisory
- 2026-06-09 10:59 UTCVendor advisory
- 2026-06-08 15:04 UTCVendor advisory
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-08 14:17 UTCEPSS rescore
- 2026-06-08 04:11 UTCVendor advisory
- 2026-06-07 17:17 UTCVendor advisory
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 15:25 UTCEPSS rescore
- 2026-06-07 06:24 UTCVendor advisory
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-06 13:47 UTCEPSS rescore
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 22:47 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-05 06:10 UTCEPSS rescore
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-04 13:12 UTCEPSS rescore
- 2026-06-02 20:13 UTCEPSS rescore
- 2026-06-02 18:59 UTCVendor advisory
- 2026-06-01 20:42 UTCVendor advisory
- 2026-06-01 13:52 UTCEPSS rescore
- 2026-06-01 13:52 UTCEPSS rescore
- 2026-06-01 13:51 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 22:30 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-31 00:16 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-29 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-28 13:44 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-27 13:40 UTCEPSS rescore
- 2026-05-26 13:44 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-26 07:18 UTCEPSS rescore
- 2026-05-20 22:38 UTCEPSS rescore
- 2026-05-20 22:38 UTCEPSS rescore
- 2026-05-20 17:31 UTCEG score recompute
- 2026-05-20 17:31 UTCVendor advisory
- 2026-05-20 11:22 UTCEPSS rescore
- 2026-05-20 11:22 UTCEPSS rescore
Frequently asked(5)
What is CVE-2026-40164?
When was CVE-2026-40164 disclosed?
Is CVE-2026-40164 actively exploited?
What is the CVSS score of CVE-2026-40164?
How do I remediate CVE-2026-40164?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-40164
Is Your Infrastructure Affected by CVE-2026-40164?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.