A flaw was found in jq, a command line JSON processor. The `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects, does not have a depth limit when processing nested objects. This missing depth limit allows an attacker who can supply a sufficiently nested input structure to exhaust the stack memory, causing an application crash and resulting in a denial of service.

To exploit this issue, an attacker needs to supply a crafted JSON input to be processed by jq with the `jv_object_merge_recursive` function, reachable via the `*` operator when both operands are objects. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this vulnerability has been rated with a moderate severity. Do not process untrusted input with the jq command line JSON processor. Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Ceph Storage 4 Fix deferred jq Red Hat Enterprise Linux 10 Fix deferred jq Red Hat Enterprise Linux 8 Fix deferred jq Red Hat Enterprise Linux 9 Fix deferred jq Red Hat Hardened Images Affected jq Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-43896 https://nvd.nist.gov/vuln/detail/CVE-2026-43896 https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846