Security News

Cybersecurity news aggregator

🔄
HIGH Updates Red Hat Errata

RHSA-2026:16693: Important: jq security update

cve-2025-1234redhatjson_processorcve-2026-39979cve-2026-40164
This security update addresses two vulnerabilities in the `jq` JSON processor: an out-of-bounds read in `jv_parse_sized()` (CVE-2026-39979, CVSS 6.5 MEDIUM) and a denial-of-service via hash collisions from a crafted JSON object (CVE-2026-40164, CVSS 7.5 HIGH). According to NVD data, `jqlang jq` versions prior to the release dated 2026-04-12 are affected. The advisory provides updated packages for Red Hat Enterprise Linux 9 to remediate these issues.
Read Full Article →

Red Hat Product Errata RHSA-2026:16693 - Security Advisory Issued: 2026-05-13 Updated: 2026-05-13 RHSA-2026:16693 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM jq-1.6-19.el9_7.0.2.src.rpm SHA-256: 502338f1f51f68da0216d7919a055c4ffe3d8b614626e7ff82178404c6b1596a x86_64 jq-1.6-19.el9_7.0.2.i686.rpm SHA-256: 2ae0e42e44212ff8be8d0b8ff60399f674ac97483c6c927a12a6e3f89f938ef2 jq-1.6-19.el9_7.0.2.x86_64.rpm SHA-256: c6516f674a43c89c2a54bcffa7b8e1d65c553042d6aed94ccc08c443ed1efdfa jq-debuginfo-1.6-19.el9_7.0.2.i686.rpm SHA-256: 4f3bd9e3514d90296f80974e08d7fdafe9df34c4a5afbc09f3c6c2310e7a4566 jq-debuginfo-1.6-19.el9_7.0.2.x86_64.rpm SHA-256: 59517d20605fa63e8ca80e86019f133998243ab50d3b6dad1ec3d93e0e0cdb28 jq-debugsource-1.6-19.el9_7.0.2.i686.rpm SHA-256: d34c2b4026b87d1c88652054c3b91f85f6981602a27e0f574bb5ff6904c18708 jq-debugsource-1.6-19.el9_7.0.2.x86_64.rpm SHA-256: be6a51b6f4a4e606c9a90a9309e886ed73a383d705bb2bb73a9dfb24f413d8c9 Red Hat Enterprise Linux for IBM z Systems 9 SRPM jq-1.6-19.el9_7.0.2.src.rpm SHA-256: 502338f1f51f68da0216d7919a055c4ffe3d8b614626e7ff82178404c6b1596a s390x jq-1.6-19.el9_7.0.2.s390x.rpm SHA-256: 3bee62cdc4891f5e474431d539bccb8cc3f3c3a2687815988496d1ddd24869a4 jq-debuginfo-1.6-19.el9_7.0.2.s390x.rpm SHA-256: 592b47962d71647c3f1535c29482e1fe0eff2153c33590a89d79c135c7a715cb jq-debugsource-1.6-19.el9_7.0.2.s390x.rpm SHA-256: 0a960a9fe61cb516ac356e6393e1b7495a652160602cf20aaa229b5b079e9538 Red Hat Enterprise Linux for Power, little endian 9 SRPM jq-1.6-19.el9_7.0.2.src.rpm SHA-256: 502338f1f51f68da0216d7919a055c4ffe3d8b614626e7ff82178404c6b1596a ppc64le jq-1.6-19.el9_7.0.2.ppc64le.rpm SHA-256: 4c8edf2a8d254b43c936bd712dec6ef0285200634b1f700f2e728bc27cfdd16f jq-debuginfo-1.6-19.el9_7.0.2.ppc64le.rpm SHA-256: 197b08ad237490dec119f41b54f41b51712b1d1100ac2ef7f213300938effdaf jq-debugsource-1.6-19.el9_7.0.2.ppc64le.rpm SHA-256: 72bb3290c865eb0232c18aaab0a8454c1ff01ab28ecbe25e01dabab5d0edada6 Red Hat Enterprise Linux for ARM 64 9 SRPM jq-1.6-19.el9_7.0.2.src.rpm SHA-256: 502338f1f51f68da0216d7919a055c4ffe3d8b614626e7ff82178404c6b1596a aarch64 jq-1.6-19.el9_7.0.2.aarch64.rpm SHA-256: 8b48c0648debd490cac3ff6c7ad446a3c87e109e8793bd17d195e19904a7c24d jq-debuginfo-1.6-19.el9_7.0.2.aarch64.rpm SHA-256: 619a33c4f21c0c8bca7e1ff755c367bfca63f6a9917afc402164c44456d1b23f jq-debugsource-1.6-19.el9_7.0.2.aarch64.rpm SHA-256: e0556eb68ca40fe09ab26a5f79bd26b40ae4c06b33893ae8b444ff07bbe1c668 Red Hat CodeReady Linux Builder for x86_64 9 SRPM x86_64 jq-debuginfo-1.6-19.el9_7.0.2.i686.rpm SHA-256: 4f3bd9e3514d90296f80974e08d7fdafe9df34c4a5afbc09f3c6c2310e7a4566 jq-debuginfo-1.6-19.el9_7.0.2.x86_64.rpm SHA-256: 59517d20605fa63e8ca80e86019f133998243ab50d3b6dad1ec3d93e0e0cdb28 jq-debugsource-1.6-19.el9_7.0.2.i686.rpm SHA-256: d34c2b4026b87d1c88652054c3b91f85f6981602a27e0f574bb5ff6904c18708 jq-debugsource-1.6-19.el9_7.0.2.x86_64.rpm SHA-256: be6a51b6f4a4e606c9a90a9309e886ed73a383d705bb2bb73a9dfb24f413d8c9 jq-devel-1.6-19.el9_7.0.2.i686.rpm SHA-256: 0d6eae44ebe9f852a9b3210fce5630e291863f8406949ce82cdf351d13fbae58 jq-devel-1.6-19.el9_7.0.2.x86_64.rpm SHA-256: 0e4b3e204a1f18c5ff63e9813b84348ced87dc91af67d431f0ab9174db61b76c Red Hat CodeReady Linux Builder for Power, little endian 9 SRPM ppc64le jq-debuginfo-1.6-19.el9_7.0.2.ppc64le.rpm SHA-256: 197b08ad237490dec119f41b54f41b51712b1d1100ac2ef7f213300938effdaf jq-debugsource-1.6-19.el9_7.0.2.ppc64le.rpm SHA-256: 72bb3290c865eb0232c18aaab0a8454c1ff01ab28ecbe25e01dabab5d0edada6 jq-devel-1.6-19.el9_7.0.2.ppc64le.rpm SHA-256: d9f288d108d05d6942fe01c2f4bd16e4c43fcc99def39aab071a9cd5ac6d2320 Red Hat CodeReady Linux Builder for ARM 64 9 SRPM aarch64 jq-debuginfo-1.6-19.el9_7.0.2.aarch64.rpm SHA-256: 619a33c4f21c0c8bca7e1ff755c367bfca63f6a9917afc402164c44456d1b23f jq-debugsource-1.6-19.el9_7.0.2.aarch64.rpm SHA-256: e0556eb68ca40fe09ab26a5f79bd26b40ae4c06b33893ae8b444ff07bbe1c668 jq-devel-1.6-19.el9_7.0.2.aarch64.rpm SHA-256: 491333257ea5247f51d9ef9544d14148a7be47251b825ff17c1b991eccc4784a Red Hat CodeReady Linux Builder for IBM z Systems 9 SRPM s390x jq-debuginfo-1.6-19.el9_7.0.2.s390x.rpm SHA-256: 592b47962d71647c3f1535c29482e1fe0eff2153c33590a89d79c135c7a715cb jq-debugsource-1.6-19.el9_7.0.2.s390x.rpm SHA-256: 0a960a9fe61cb516ac356e6393e1b7495a652160602cf20aaa229b5b079e9538 jq-devel-1.6-19.el9_7.0.2.s390x.rpm SHA-256: af5f3e566fd9f3342626d5e3accbb3073543217469911e7af65cd64ea9c9d5fd The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .

Related Articles

INFO RHSA-2026:18045: Important: jq security update Red Hat Errata MEDIUM Multiples vulnérabilités dans les produits Microsoft (20 avril 2026) CERT-FR (ANSSI) HIGH USN-8202-1: jq vulnerabilities Ubuntu Security HIGH USN-8202-2: jq vulnerabilities Ubuntu Security
Read Full Article → ← Back to News

Share this article

Twitter Facebook LinkedIn