CVE-2026-44777
published 2026-05-11CVE-2026-44777: jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules…
PriorityP419medium5.5CVSS 3.1
AVLACLPRNUIRSUCNINAH
EPSS
0.16%
5.7th percentile
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ansible-automation-platform-26 | controller-rhel9 | — | — |
| ansible-automation-platform-26 | hub-rhel9 | — | — |
| jqlang | jq | <= 1.8.2 | — |
| jqlang | jq | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.05.4MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jq: stack overflow in module loading on mutual include
vendor_redhat·2026-05-11·CVSS 5.4
CVE-2026-44777 [MEDIUM] CWE-674 jq: stack overflow in module loading on mutual include
jq: stack overflow in module loading on mutual include
A flaw was found in jq, a command line JSON processor. The module loader fails to perform cycle detection when resolving imports. This missing cycle detection allows an attacker who can supply crafted modules with circular dependencies to exhaust the stack memory, causing an application crash, resulting in a denial of service.
Statement: To exploit this vulnerability, an attacker needs to supply crafted modules with circular dependencies to be processed by the jq module loader. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this issue has been rated with a moderate severity.
Mitigation: Do not process untrusted input with the jq command line JSON processor.
Package: ansib
VulDB
jqlang jq up to 1.8.2rc1 Ordinary Module Loader recursion (GHSA-rmpv-jgvr-wpr9)
vuldb·2026-05-11·CVSS 5.4
CVE-2026-44777 [MEDIUM] jqlang jq up to 1.8.2rc1 Ordinary Module Loader recursion (GHSA-rmpv-jgvr-wpr9)
A vulnerability, which was classified as problematic, has been found in jqlang jq up to 1.8.2rc1. This affects an unknown part of the component Ordinary Module Loader. Performing a manipulation results in uncontrolled recursion.
This vulnerability is reported as CVE-2026-44777. The attack requires a local approach. No exploit exists.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44777 jq: stack overflow in module loading on mutual include [fedora-all]
bugzilla·2026-05-13·CVSS 5.4
CVE-2026-44777 [MEDIUM] CVE-2026-44777 jq: stack overflow in module loading on mutual include [fedora-all]
CVE-2026-44777 jq: stack overflow in module loading on mutual include [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44777 jq: stack overflow in module loading on mutual include
bugzilla·2026-05-11·CVSS 5.4
CVE-2026-44777 [MEDIUM] CVE-2026-44777 jq: stack overflow in module loading on mutual include
CVE-2026-44777 jq: stack overflow in module loading on mutual include
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other.
2026-05-11
Published