RHSA-2026:16252: Important: jq security update

Red Hat has released an important security update for the `jq` JSON processor on RHEL 8 to address two vulnerabilities: an out-of-bounds read in `jv_parse_sized()` (CVE-2026-39979, CVSS 6.5) and a denial of service via hash collisions from crafted JSON objects (CVE-2026-40164, CVSS 7.5). According to NVD data, `jqlang jq` versions before the 2026-04-12 release are affected. The advisory provides updated packages for multiple RHEL 8 architectures to remediate these issues.

Read Full Article →

Red Hat Product Errata RHSA-2026:16252 - Security Advisory Issued: 2026-05-12 Updated: 2026-05-12 RHSA-2026:16252 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 8 x86_64 Red Hat Enterprise Linux for IBM z Systems 8 s390x Red Hat Enterprise Linux for Power, little endian 8 ppc64le Red Hat Enterprise Linux for ARM 64 8 aarch64 Red Hat CodeReady Linux Builder for x86_64 8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 8 ppc64le Red Hat CodeReady Linux Builder for ARM 64 8 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 s390x Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 8 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 x86_64 jq-1.6-12.el8_10.i686.rpm SHA-256: 7aa8c67cf06b7c88f78de400a2cb2cee6f81d48c20fc2034706058b8c93eb6a0 jq-1.6-12.el8_10.x86_64.rpm SHA-256: 88e62c63c8b6be1edadc0fcdf68b60367dbb662dd84916e162e469792d105f46 jq-debuginfo-1.6-12.el8_10.i686.rpm SHA-256: 512ca6c353521065fd65c8007bd91f642a015d7082f6407fa6904fec6b5591d3 jq-debuginfo-1.6-12.el8_10.x86_64.rpm SHA-256: ba815e3d15ab81272bab41a02db800486672bf5e8803e9001edbba20682499c5 jq-debugsource-1.6-12.el8_10.i686.rpm SHA-256: a3416efc8fe05e2e3e081e3cbff024c91818cbd9410fbf271bd66684cbc78f8f jq-debugsource-1.6-12.el8_10.x86_64.rpm SHA-256: a86f11a8a76e28636b4b1f8504efa10ed4e4dac6e910f25b49738e16ba7d0ff2 Red Hat Enterprise Linux for IBM z Systems 8 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 s390x jq-1.6-12.el8_10.s390x.rpm SHA-256: 1d9d77c7c0f65e9893efc07efee09a9c0ff10a7e770d60409f9b7f278d19a0b0 jq-debuginfo-1.6-12.el8_10.s390x.rpm SHA-256: 9454ef6fc103e894ec1efdb995efa53df40e4495c92ef2e97ce27a7ee0ebdc52 jq-debugsource-1.6-12.el8_10.s390x.rpm SHA-256: 9cd40746de65397b619eed21f2485c5c8b6b965adc345580b274867943194dc4 Red Hat Enterprise Linux for Power, little endian 8 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 ppc64le jq-1.6-12.el8_10.ppc64le.rpm SHA-256: db546534302de8085b16ce0cb01e15218dc188d9855f75f9e49b4cb752e09cf1 jq-debuginfo-1.6-12.el8_10.ppc64le.rpm SHA-256: a69b8cd19abc906527c55cdf3e5a7e70b830e608e7dc6b1f2663e3820c1d539b jq-debugsource-1.6-12.el8_10.ppc64le.rpm SHA-256: bfb09daa6ff42ddd37f78a92a2d74c2dd9a8336830c5f3a8200a8e0f9b536e7c Red Hat Enterprise Linux for ARM 64 8 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 aarch64 jq-1.6-12.el8_10.aarch64.rpm SHA-256: 6957f091cae9c0a9e946e43954dab041e595843c2b0e38838a8dc3bc34f6b1bf jq-debuginfo-1.6-12.el8_10.aarch64.rpm SHA-256: 7022ecd75422e252f2366c584fdbba52c6933b02b0c2661a3dbb3ab86e8e58d8 jq-debugsource-1.6-12.el8_10.aarch64.rpm SHA-256: b573993fa6a1f3368d8e161d7f3f313a67a422ecc8fee4349ba626d2501f6270 Red Hat CodeReady Linux Builder for x86_64 8 SRPM x86_64 jq-debuginfo-1.6-12.el8_10.i686.rpm SHA-256: 512ca6c353521065fd65c8007bd91f642a015d7082f6407fa6904fec6b5591d3 jq-debuginfo-1.6-12.el8_10.x86_64.rpm SHA-256: ba815e3d15ab81272bab41a02db800486672bf5e8803e9001edbba20682499c5 jq-debugsource-1.6-12.el8_10.i686.rpm SHA-256: a3416efc8fe05e2e3e081e3cbff024c91818cbd9410fbf271bd66684cbc78f8f jq-debugsource-1.6-12.el8_10.x86_64.rpm SHA-256: a86f11a8a76e28636b4b1f8504efa10ed4e4dac6e910f25b49738e16ba7d0ff2 jq-devel-1.6-12.el8_10.i686.rpm SHA-256: 257d1f9882f0706172e90fd1e5ecaf76121f5c6d449e92b386cd11a491e2aeed jq-devel-1.6-12.el8_10.x86_64.rpm SHA-256: 63a46f6fc876ce03ef9a9a1c50f1bc09ea3fdfcd63f8437e95f1402e0c55f72e Red Hat CodeReady Linux Builder for Power, little endian 8 SRPM ppc64le jq-debuginfo-1.6-12.el8_10.ppc64le.rpm SHA-256: a69b8cd19abc906527c55cdf3e5a7e70b830e608e7dc6b1f2663e3820c1d539b jq-debugsource-1.6-12.el8_10.ppc64le.rpm SHA-256: bfb09daa6ff42ddd37f78a92a2d74c2dd9a8336830c5f3a8200a8e0f9b536e7c jq-devel-1.6-12.el8_10.ppc64le.rpm SHA-256: 249bf423d56b3426f05ae5e9dbecc3d0a7ff89f413adb771d1975b1a8b3b1221 Red Hat CodeReady Linux Builder for ARM 64 8 SRPM aarch64 jq-debuginfo-1.6-12.el8_10.aarch64.rpm SHA-256: 7022ecd75422e252f2366c584fdbba52c6933b02b0c2661a3dbb3ab86e8e58d8 jq-debugsource-1.6-12.el8_10.aarch64.rpm SHA-256: b573993fa6a1f3368d8e161d7f3f313a67a422ecc8fee4349ba626d2501f6270 jq-devel-1.6-12.el8_10.aarch64.rpm SHA-256: ab1629dd92b873e0a8546e6d578676613bf5965de5dca3b1de784f41fc2b7dc6 Red Hat CodeReady Linux Builder for IBM z Systems 8 SRPM s390x jq-debuginfo-1.6-12.el8_10.s390x.rpm SHA-256: 9454ef6fc103e894ec1efdb995efa53df40e4495c92ef2e97ce27a7ee0ebdc52 jq-debugsource-1.6-12.el8_10.s390x.rpm SHA-256: 9cd40746de65397b619eed21f2485c5c8b6b965adc345580b274867943194dc4 jq-devel-1.6-12.el8_10.s390x.rpm SHA-256: e881653a402e0e260e288dc12b0f99f060a4e99d1acd46f4c28b2f49377e77a4 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 8.10 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 x86_64 jq-1.6-12.el8_10.i686.rpm SHA-256: 7aa8c67cf06b7c88f78de400a2cb2cee6f81d48c20fc2034706058b8c93eb6a0 jq-1.6-12.el8_10.x86_64.rpm SHA-256: 88e62c63c8b6be1edadc0fcdf68b60367dbb662dd84916e162e469792d105f46 jq-debuginfo-1.6-12.el8_10.i686.rpm SHA-256: 512ca6c353521065fd65c8007bd91f642a015d7082f6407fa6904fec6b5591d3 jq-debuginfo-1.6-12.el8_10.x86_64.rpm SHA-256: ba815e3d15ab81272bab41a02db800486672bf5e8803e9001edbba20682499c5 jq-debugsource-1.6-12.el8_10.i686.rpm SHA-256: a3416efc8fe05e2e3e081e3cbff024c91818cbd9410fbf271bd66684cbc78f8f jq-debugsource-1.6-12.el8_10.x86_64.rpm SHA-256: a86f11a8a76e28636b4b1f8504efa10ed4e4dac6e910f25b49738e16ba7d0ff2 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 8.10 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 aarch64 jq-1.6-12.el8_10.aarch64.rpm SHA-256: 6957f091cae9c0a9e946e43954dab041e595843c2b0e38838a8dc3bc34f6b1bf jq-debuginfo-1.6-12.el8_10.aarch64.rpm SHA-256: 7022ecd75422e252f2366c584fdbba52c6933b02b0c2661a3dbb3ab86e8e58d8 jq-debugsource-1.6-12.el8_10.aarch64.rpm SHA-256: b573993fa6a1f3368d8e161d7f3f313a67a422ecc8fee4349ba626d2501f6270 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 8.10 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 ppc64le jq-1.6-12.el8_10.ppc64le.rpm SHA-256: db546534302de8085b16ce0cb01e15218dc188d9855f75f9e49b4cb752e09cf1 jq-debuginfo-1.6-12.el8_10.ppc64le.rpm SHA-256: a69b8cd19abc906527c55cdf3e5a7e70b830e608e7dc6b1f2663e3820c1d539b jq-debugsource-1.6-12.el8_10.ppc64le.rpm SHA-256: bfb09daa6ff42ddd37f78a92a2d74c2dd9a8336830c5f3a8200a8e0f9b536e7c Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 8.10 SRPM jq-1.6-12.el8_10.src.rpm SHA-256: f0371a17df9dad9edf1640342da76c593ba116cf0febb74c095897e5926137e9 s390x jq-1.6-12.el8_10.s390x.rpm SHA-256: 1d9d77c7c0f65e9893efc07efee09a9c0ff10a7e770d60409f9b7f278d19a0b0 jq-debuginfo-1.6-12.el8_10.s390x.rpm SHA-256: 9454ef6fc103e894ec1efdb995efa53df40e4495c92ef2e97ce27a7ee0ebdc52 jq-debugsource-1.6-12.el8_10.s390x.rpm SHA-256: 9cd40746de65397b619eed21f2485c5c8b6b965adc345580b274867943194dc4 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .

Read Full Article → ← Back to News

RHSA-2026:16252: Important: jq security update

Related Articles

Share this article