new file mode 100644
@@ -0,0 +1,107 @@
+From d6a36423898f756355c270c4acae335318ac357c Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 13 Apr 2026 11:23:40 +0900
+Subject: [PATCH] Limit path depth to prevent stack overflow
+
+Deeply nested path arrays can cause unbounded recursion in
+`jv_setpath`, `jv_getpath`, and `jv_delpaths`, leading to
+stack overflow. Add a depth limit of 10000 to match the
+existing `tojson` depth limit. This fixes CVE-2026-33947.
+
+(cherry picked from commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f)
+
+CVE: CVE-2026-33947
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f]
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/jv_aux.c | 21 +++++++++++++++++++++
+ tests/jq.test | 25 +++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/jv_aux.c b/src/jv_aux.c
+index bbe1c0d..0855053 100644
+--- a/src/jv_aux.c
++++ b/src/jv_aux.c
+@@ -376,6 +376,10 @@ static jv jv_dels(jv t, jv keys) {
+ return t;
+ }
+
++#ifndef MAX_PATH_DEPTH
++#define MAX_PATH_DEPTH (10000)
++#endif
++
+ jv jv_setpath(jv root, jv path, jv value) {
+ if (jv_get_kind(path) != JV_KIND_ARRAY) {
+ jv_free(value);
+@@ -383,6 +387,12 @@ jv jv_setpath(jv root, jv path, jv value) {
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+ }
++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
++ jv_free(value);
++ jv_free(root);
++ jv_free(path);
++ return jv_invalid_with_msg(jv_string("Path too deep"));
++ }
+ if (!jv_is_valid(root)){
+ jv_free(value);
+ jv_free(path);
+@@ -434,6 +444,11 @@ jv jv_getpath(jv root, jv path) {
+ jv_free(path);
+ return jv_invalid_with_msg(jv_string("Path must be specified as an array"));
+ }
++ if (jv_array_length(jv_copy(path)) > MAX_PATH_DEPTH) {
++ jv_free(root);
++ jv_free(path);
++ return jv_invalid_with_msg(jv_string("Path too deep"));
++ }
+ if (!jv_is_valid(root)) {
+ jv_free(path);
+ return root;
+@@ -511,6 +526,12 @@ jv jv_delpaths(jv object, jv paths) {
+ jv_free(elem);
+ return err;
+ }
++ if (jv_array_length(jv_copy(elem)) > MAX_PATH_DEPTH) {
++ jv_free(object);
++ jv_free(paths);
++ jv_free(elem);
++ return jv_invalid_with_msg(jv_string("Path too deep"));
++ }
+ jv_free(elem);
+ }
+ if (jv_array_length(jv_copy(paths)) == 0) {
+diff --git a/tests/jq.test b/tests/jq.test
+index ecb9116..4d57301 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2129,3 +2129,28 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok"
+ {"hey":[]}
+ "ok"
+ "ok"
++
++# regression test for CVE-2026-33947
++setpath([range(10000) | 0]; 0) | flatten
++null
++[0]
++
++try setpath([range(10001) | 0]; 0) catch .
++null
++"Path too deep"
++
++getpath([range(10000) | 0])
++null
++null
++
++try getpath([range(10001) | 0]) catch .
++null
++"Path too deep"
++
++delpaths([[range(10000) | 0]])
++null
++null
++
++try delpaths([[range(10001) | 0]]) catch .
++null
++"Path too deep"
+\ No newline at end of file
@@ -16,6 +16,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2025-48060.patch \
file://CVE-2025-9403.patch \
file://CVE-2026-32316.patch \
+ file://CVE-2026-33947.patch \
"
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"