CVE-2026-44777 Overview
CVE-2026-44777 affects jq, a widely used command-line JSON processor maintained by the jqlang project. The vulnerability exists in the ordinary module loader, which recurses without cycle detection when two otherwise valid modules include each other. Versions 1.8.2rc1 and earlier are affected. Loading mutually recursive modules causes uncontrolled recursion, exhausting the stack and crashing the jq process. The flaw is classified under [CWE-674: Uncontrolled Recursion]. Exploitation requires a local attack vector and user interaction, since a user must invoke jq against the crafted module set. Impact is limited to availability of the jq process itself.
Critical Impact
A malicious or malformed pair of jq modules that include each other triggers unbounded recursion in the module loader, crashing jq and denying availability to dependent automation.
Affected Products
- jqlang jq versions 1.8.2rc1 and earlier
- Command-line pipelines and shell scripts invoking jq with the -L module search path
- CI/CD and data-processing workflows that load third-party jq modules
Discovery Timeline
- 2026-05-11 - CVE-2026-44777 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44777
Vulnerability Analysis
The jq module loader resolves import and include directives by recursively loading referenced module files. The implementation walks the dependency graph without tracking modules already in the load path. When module A imports module B and module B imports module A, the loader re-enters itself indefinitely.
Each recursive call consumes a stack frame in the parser and loader code paths. The process terminates with a stack overflow once the operating system stack limit is reached. The crash occurs before any of the JSON input is processed, so the impact is confined to the jq invocation rather than the surrounding shell.
The issue maps to [CWE-674: Uncontrolled Recursion]. The vulnerability does not allow code execution, memory corruption, or information disclosure. Confidentiality and integrity remain unaffected, while availability of the jq process is lost.
Root Cause
The ordinary module loader lacks a visited-set or cycle-detection check. Standard practice for graph traversal is to record loaded module identifiers and short-circuit when a cycle is detected. The current implementation treats every import directive as a fresh load request, allowing mutual recursion to compound without bound.
Attack Vector
An attacker supplies two or more jq modules that include each other and convinces a local user to run jq against them. This typically occurs through a shared module directory, a checked-in build artifact, or a downloaded jq library bundle. The attack vector is local and requires user interaction, which constrains practical exploitation to supply-chain or workflow-disruption scenarios.
See the GitHub Security Advisory GHSA-rmpv-jgvr-wpr9 for upstream technical details.
Detection Methods for CVE-2026-44777
Indicators of Compromise
- Repeated jq process crashes with stack overflow or segmentation fault signatures during module-driven workflows
- jq invocations terminating without producing output when the -L flag references attacker-supplied module directories
- Presence of .jq module files that import one another in a cycle within shared library paths
Detection Strategies
- Static analysis of jq module directories to flag mutual or circular import/include directives before execution
- Build-pipeline checks that fail when jq --version reports 1.8.2rc1 or earlier on production runners
- Monitor exit codes and signal terminations of jq in CI logs to catch repeated abnormal terminations tied to module loading
Monitoring Recommendations
- Inventory all systems and container images that ship jq and record the installed version against the fixed release
- Alert on jq processes terminated by SIGSEGV in endpoint telemetry to surface availability impact early
- Track changes to shared jq module directories under configuration management to detect introduction of cyclic modules
How to Mitigate CVE-2026-44777
Immediate Actions Required
- Upgrade jq to the fixed release published in the jqlang security advisory on all endpoints, build agents, and container base images
- Audit module search paths passed to jq -L and remove any untrusted or third-party module sources
- Restrict write access to shared jq module directories to administrators only
Patch Information
The jqlang project addressed the issue in the release following 1.8.2rc1. Refer to the GitHub Security Advisory GHSA-rmpv-jgvr-wpr9 for the fixed version and commit reference. Rebuild or re-pull container images that bundle jq after the upgrade.
Workarounds
- Avoid loading jq modules from untrusted sources until the patched version is deployed
- Run jq without the -L flag where module imports are not required for the workflow
- Set a conservative process stack limit with ulimit -s so a crash terminates quickly and does not stall automation
# Verify installed jq version and constrain stack for module-loading workflows
jq --version
ulimit -s 8192
jq -L /trusted/jq/modules -f script.jq input.json
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
