Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-11T17:23:20 jq: stack overflow in module loading on mutual include 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CWE-674

A flaw was found in jq, a command line JSON processor. The module loader fails to perform cycle detection when resolving imports. This missing cycle detection allows an attacker who can supply crafted modules with circular dependencies to exhaust the stack memory, causing an application crash, resulting in a denial of service.

To exploit this vulnerability, an attacker needs to supply crafted modules with circular dependencies to be processed by the jq module loader. This allows the attacker to cause an application crash with no other security impact. Due to these reasons, this issue has been rated with a moderate severity. Do not process untrusted input with the jq command line JSON processor. Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/controller-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred ansible-automation-platform-26/hub-rhel9 Red Hat Ansible Automation Platform 2 Fix deferred automation-controller Red Hat Ceph Storage 4 Fix deferred jq Red Hat Enterprise Linux 10 Fix deferred jq Red Hat Enterprise Linux 8 Fix deferred jq Red Hat Enterprise Linux 9 Fix deferred jq Red Hat Hardened Images Affected jq Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-44777 https://nvd.nist.gov/vuln/detail/CVE-2026-44777 https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9