CVE-2026-44777
Received Received - Intake
jq Module Loader Recursion Flaw Enables DoS

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44777
EUVD
EUVD-2026-29177
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jqlang jq to 1.8.2rc1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause a denial of service by crashing any workflow that processes attacker-controlled programs or module paths containing mutually including modules.

It does not allow memory corruption or code execution, but results in process termination due to unbounded recursion.

Executive Summary

CVE-2026-44777 is a stack overflow vulnerability in the jq programming language's module loading system.

The issue occurs when two valid modules include each other, creating a mutual dependency cycle. This causes the module loader to recurse indefinitely without cycle detection, leading to stack exhaustion and process termination.

The vulnerability affects jq versions up to and including 1.8.2rc1.

Detection Guidance

This vulnerability can be detected by identifying if your jq usage involves processing JSON modules that include each other mutually, causing the module loader to recurse indefinitely.

A practical way to detect the vulnerability is to test jq with modules that include each other and observe if the process crashes due to stack overflow.

Since the issue causes process termination from unbounded recursion, monitoring jq processes for unexpected crashes or stack overflow errors during module loading can indicate the presence of this vulnerability.

No specific commands are provided in the resources, but you can create or identify JSON modules that mutually include each other and run jq on them to see if it crashes.

Mitigation Strategies

To mitigate this vulnerability, avoid processing workflows or programs that include mutually dependent jq modules until a fixed version is applied.

The vulnerability affects jq versions up to and including 1.8.2rc1, so upgrading jq to a version that includes the fix for cycle detection in module loading is recommended.

As a temporary measure, review and restrict the module paths and inputs to jq to prevent attacker-controlled or malicious modules that could trigger the recursion.

Compliance Impact

The vulnerability in jq causes a denial of service through stack overflow when mutually including modules create an infinite recursion. It does not involve memory corruption, code execution, or data leakage.

Since the issue results in process termination without unauthorized access or data compromise, it primarily impacts availability rather than confidentiality or integrity.

Therefore, this vulnerability could affect compliance with standards that require system availability and resilience, but it does not directly lead to violations of data protection regulations like GDPR or HIPAA which focus on data confidentiality and privacy.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart