CVE-2026-44777

jq: stack overflow in module loading on mutual `include`

Published: 5/11/2026 Last updated: 5/11/2026 Reserved: 5/7/2026

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

CNA assigner: GitHub_M (a0819718-46f1-4df5-94e2-005712e83aaa) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
4.0	5.4	Medium	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Opam packages affected (2)

conf-jq travis-opam

Products affected (1)

Product	Vendor	Version
jq	jqlang	12.2(4)B2

References (2)

https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9
https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9