Skip to main content

jq CVE-2026-44777

| EUVDEUVD-2026-29177 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-11 GitHub_M
5.4
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
5.4 (MEDIUM)
CVE Published
May 11, 2026 - 17:23 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other.

AnalysisAI

jq 1.8.2rc1 and earlier suffers from infinite recursion in the module loader when two modules include each other circularly, causing denial of service through resource exhaustion. The vulnerability requires user interaction (loading a crafted jq script with circular module dependencies) on local systems. CVSS 5.4 (CVSS:4.0/AV:L/AC:L/PR:N/UI:P) reflects availability impact only; no remote exploitation vector exists. No public exploit code or active exploitation reported at time of analysis.

Technical ContextAI

jq's module loader (CWE-674: Uncontrolled Recursion) implements dynamic module inclusion via import/include directives without maintaining a visited-modules set or recursion-depth limit. When module A includes module B, and module B includes module A, the loader enters infinite recursion, exhausting stack memory and process resources. The vulnerability exists in the module resolution logic that processes import statements during jq program parsing and execution, affecting both explicit circular dependencies and transitive cycles through intermediate modules.

RemediationAI

Upgrade jq to version 1.8.2 or later once released by the jqlang project. Immediate patch availability is not confirmed from input data; check the GitHub security advisory at https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9 for the exact patched release version and timeline. As a temporary workaround for systems processing untrusted jq scripts, disable the module loading feature by running jq with appropriate command-line flags (if available in your version) or sandboxing execution in containers with strict resource limits (memory and CPU cgroups) to prevent denial of service. For web services accepting user-supplied jq filters, implement a whitelist of allowed jq operations and explicitly disable or restrict the import/include directives; note this may break legitimate module-based workflows. Run jq processes with resource limits (ulimit -m, ulimit -s) to cap memory and stack usage, mitigating (but not preventing) the infinite recursion impact.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-44777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy