CVE-2026-44777: jq: stack overflow in module loading on mutual `include`
Published May 11, 2026
·Updated
jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.
Affected Software
2 affected components
JQ jq<=1.8.2rc1
jqlang jq<=1.8.2
Event History
May 11, 2026
CVE Published
via MITRE·05:23 PM
Data Sourced
via MITRE·05:23 PM
DescriptionWeakness
Data Sourced
via NVD·06:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-44777?
CVE-2026-44777 has a high severity due to the potential for stack overflow and application crashes.
2
How do I fix CVE-2026-44777?
To fix CVE-2026-44777, upgrade jq to version 1.8.2rc2 or later where the issue has been addressed.
3
What versions of jq are affected by CVE-2026-44777?
CVE-2026-44777 affects jq versions up to and including 1.8.2rc1.
4
What is the impact of CVE-2026-44777 on applications using jq?
The impact of CVE-2026-44777 includes potential crashes or resource exhaustion when modules include each other.
5
Is there a workaround for CVE-2026-44777 if I cannot update jq?
A possible workaround for CVE-2026-44777 is to avoid using mutual includes in jq modules.