CVE-2026-44777
jq Module Loader Recursion Flaw Enables DoS
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.2rc1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing any workflow that processes attacker-controlled programs or module paths containing mutually including modules.
It does not allow memory corruption or code execution, but results in process termination due to unbounded recursion.
Can you explain this vulnerability to me?
CVE-2026-44777 is a stack overflow vulnerability in the jq programming language's module loading system.
The issue occurs when two valid modules include each other, creating a mutual dependency cycle. This causes the module loader to recurse indefinitely without cycle detection, leading to stack exhaustion and process termination.
The vulnerability affects jq versions up to and including 1.8.2rc1.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in jq causes a denial of service through stack overflow when mutually including modules create an infinite recursion. It does not involve memory corruption, code execution, or data leakage.
Since the issue results in process termination without unauthorized access or data compromise, it primarily impacts availability rather than confidentiality or integrity.
Therefore, this vulnerability could affect compliance with standards that require system availability and resilience, but it does not directly lead to violations of data protection regulations like GDPR or HIPAA which focus on data confidentiality and privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your jq usage involves processing JSON modules that include each other mutually, causing the module loader to recurse indefinitely.
A practical way to detect the vulnerability is to test jq with modules that include each other and observe if the process crashes due to stack overflow.
Since the issue causes process termination from unbounded recursion, monitoring jq processes for unexpected crashes or stack overflow errors during module loading can indicate the presence of this vulnerability.
No specific commands are provided in the resources, but you can create or identify JSON modules that mutually include each other and run jq on them to see if it crashes.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid processing workflows or programs that include mutually dependent jq modules until a fixed version is applied.
The vulnerability affects jq versions up to and including 1.8.2rc1, so upgrading jq to a version that includes the fix for cycle detection in module loading is recommended.
As a temporary measure, review and restrict the module paths and inputs to jq to prevent attacker-controlled or malicious modules that could trigger the recursion.