Hardening jq Against JSON-Based DoS Attacks

 

Stop crashing your JSON pipelines. This guide covers 5 critical jq DoS vulnerabilities (CVE-2026), shows how to check your version on Fedora 43 & CentOS 9, provides an automated bash fix script, and offers immediate iptables mitigation for unpatched systems.

jq is the "sed for JSON"—a tool so essential that if you work with APIs, logs, or cloud data, you probably use it daily without thinking. But what happens when the tool itself becomes the vulnerability?

In April 2026, maintainers patched five distinct CVEs affecting jq version 1.8.1 and earlier. These aren't theoretical flaws. They allow a remote attacker or a malicious API response to:

• Crash your JSON parser via hash collisions (CVE-2026-40164).

• Trigger unbounded recursion (CVE-2026-33947), eating your CPU.

• Cause heap overflows that could lead to code execution (CVE-2026-32316).

While the disclosure date was April 22, 2026, these classes of bugs (hash flooding, recursion, integer overflows) are permanent patterns in C-based parsers. Any system running jq on untrusted JSON today is vulnerable.

Below is your permanent playbook to check, patch, and mitigate—regardless of your distro or patch cycle.

How to Check if You Are Vulnerable: 

Fedora 43 / CentOS 9 / RHEL

Run these commands on any machine that processes external JSON.

bash

# 1. Check your installed jq version
jq --version

# Vulnerable versions: 1.8.1 and below (including 1.7, 1.6, etc.)
# Fixed version: 1.8.1-3.fc43 or higher

# 2. Verify if the specific patch is installed (Fedora/RHEL)
rpm -q --changelog jq | grep -E "CVE-2026-32316|CVE-2026-33947|CVE-2026-40164"

# If the command returns nothing → you are vulnerable.
# If you see lines containing those CVEs → you are patched.

# 3. Test for hash collision DoS manually (safe)
echo '{"a":1,"b":2}' | jq empty # Should exit 0
# A vulnerable jq will hang or crash on a specially crafted payload.

Automation Script to Apply the Fix (Bash – Major Distros)

Save this as fix-jq-dos.sh and run it as root. It detects your package manager and updates jq to the patched version.

bash

#!/bin/bash
# fix-jq-dos.sh – Evergreen jq vulnerability patcher
set -e

echo "[+] Checking current jq version..."
jq --version

if command -v dnf &> /dev/null; then
    echo "[+] Detected DNF (Fedora/RHEL/CentOS 9)"
    dnf update jq -y
    dnf upgrade --advisory FEDORA-2026-4e57162966 -y 2>/dev/null || echo "[!] Advisory not found, but jq updated."
elif command -v apt &> /dev/null; then
    echo "[+] Detected APT (Debian/Ubuntu)"
    apt update && apt install jq -y
elif command -v zypper &> /dev/null; then
    echo "[+] Detected Zypper (openSUSE)"
    zypper refresh && zypper update jq -y
else
    echo "[!] Manual update required. Download from https://jqlang.org/download/"
    exit 1
fi

echo "[+] Verifying fix..."
jq --version
echo "[✓] jq updated. Reboot not required."

Usage:

bash

chmod +x fix-jq-dos.sh
sudo ./fix-jq-dos.sh

Alternative Mitigation (If You Cannot Update Now)

You can’t update because of a frozen production environment? Here are three immediate workarounds:

1. Rate-limit and sanitize inputs using iptables (for API endpoints)

If you pipe untrusted web data into jq, block malicious payloads at the edge:

bash

# Drop packets with abnormally large JSON bodies (>1MB) – common for hash collision attacks
iptables -A INPUT -p tcp --dport 80 -m string --string "{" --algo bm --to 1048576 -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "{" --algo bm --to 1048576 -j DROP

2. Run jq inside a CPU/memory-restricted container

bash

docker run --rm -i --cpus="0.1" --memory="64m" jq:1.8.1 jq '.' < untrusted.json

3. Use an AppArmor profile to limit recursion depth

Create /etc/apparmor.d/usr.bin.jq:

text

/usr/bin/jq {
  # Limit stack size to prevent deep recursion
  set rlimit stack <= 8M,
  # Deny writes to sensitive areas
  deny /etc/** w,
}

Then reload: apparmor_parser -r /etc/apparmor.d/usr.bin.jq

Recommended Book 

Json at Work - Practical Data Integration for the Web - Amazon

Why it replaces :

JSON at Work: This is the definitive guide to API security. It dedicates significant coverage to exactly the problems that caused the jq CVEs—input validation failures, denial of service through malformed payloads, and safe JSON parsing. The author is a security expert who literally wrote the book on JWT token security.

What you'll learn:

• How to validate JSON input before parsing (prevents hash collision attacks like CVE-2026-40164).

• Protection against injection attacks through crafted payloads.

• Building APIs that resist DoS through recursion limits (CVE-2026-33947).

• Hands-on examples building a secure API from scratch.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).