new file mode 100644
@@ -0,0 +1,104 @@
+From 5fd935884a6f5b3d8ecdcacfc5d3982140f3a478 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 11:23:40 +0900
+Subject: [PATCH] Limit path depth to prevent stack overflow
+
+Deeply nested path arrays can cause unbounded recursion in
+`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
+stack overflow. Add a depth limit of 10000 to match the
+existing `tojson` depth limit. This fixes CVE-2026-33947.
+
+CVE: CVE-2026-33947
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/jv_aux.c | 21 +++++++++++++++++++++
+ tests/jq.test | 25 +++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/jv_aux.c b/src/jv_aux.c
+index bc1405f..594a21f 100644
+--- a/src/jv_aux.c
++++ b/src/jv_aux.c
+@@ -375,6 +375,10 @@ static jv jv_dels(jv t, jv keys) {
+ return t;
+ }
+
++#ifndef MAX_PATH_DEPTH
++#define MAX_PATH_DEPTH (10000)
++#endif
++
+ jv jv_setpath(jv root, jv path, jv value) {
+ if (jv_get_kind(path) != JV_KIND_ARRAY) {
+ jv_free(value);
+@@ -382,6 +386,12 @@ jv jv_setpath(jv root, jv path, jv value) {
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+ }
++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
++ jv_free(value);
++ jv_free(root);
++ jv_free(path);
++ return jv_invalid_with_msg(jv_string("Path too deep"));
++ }
+ if (!jv_is_valid(root)){
+ jv_free(value);
+ jv_free(path);
+@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+ }
++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
++ jv_free(root);
++ jv_free(path);
++ return jv_invalid_with_msg(jv_string("Path too deep"));
++ }
+ if (!jv_is_valid(root)) {
+ jv_free(path);
+ return root;
+@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
+ jv_free(elem);
+ return err;
+ }
++ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
++ jv_free(object);
++ jv_free(paths);
++ jv_free(elem);
++ return jv_invalid_with_msg(jv_string("Path too deep"));
++ }
+ jv_free(elem);
+ }
+ if (jv_array_length(jv_copy(paths)) == 0) {
+diff --git a/tests/jq.test b/tests/jq.test
+index 4ecf72f..6186d8b 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2507,3 +2507,28 @@ strflocaltime("" | ., @uri)
+ 0
+ ""
+ ""
++
++# regression test for CVE-2026-33947
++setpath([range(10000) | 0]; 0) | flatten
++null
++[0]
++
++try setpath([range(10001) | 0]; 0) catch .
++null
++"Path too deep"
++
++getpath([range(10000) | 0])
++null
++null
++
++try getpath([range(10001) | 0]) catch .
++null
++"Path too deep"
++
++delpaths([[range(10000) | 0]])
++null
++null
++
++try delpaths([[range(10001) | 0]]) catch .
++null
++"Path too deep"
@@ -14,6 +14,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://run-ptest \
file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
file://CVE-2026-32316.patch \
+ file://CVE-2026-33947.patch \
"
inherit autotools ptest
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33947 Backport the patch that is referenced by the NVD report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../jq/jq/CVE-2026-33947.patch | 104 ++++++++++++++++++ meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-33947.patch