Red Hat Product Errata RHSA-2026:18045 - Security Advisory Issued: 2026-05-18 Updated: 2026-05-18 RHSA-2026:18045 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 s390x Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 SRPM jq-1.6-12.el9_0.3.src.rpm SHA-256: 6d761182e86bd0ddb909ee65edf4abf33e517cdb988342030b301a22d69f4b6f ppc64le jq-1.6-12.el9_0.3.ppc64le.rpm SHA-256: 291426fe03b398031022aee63a005d4d18defd8f5ff1cf54eceadc1a81e41012 jq-debuginfo-1.6-12.el9_0.3.ppc64le.rpm SHA-256: 5a269ab81bf44ecbf0458175b18eded5a757dab6d96e16b3fe8e4ff7b88c8719 jq-debugsource-1.6-12.el9_0.3.ppc64le.rpm SHA-256: db3ef4acc187856bcb794a085aa27524ce3d422249e816f0ce947c7efe920ab9 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 SRPM jq-1.6-12.el9_0.3.src.rpm SHA-256: 6d761182e86bd0ddb909ee65edf4abf33e517cdb988342030b301a22d69f4b6f x86_64 jq-1.6-12.el9_0.3.i686.rpm SHA-256: 3ac357a8d9620f044a3048ea8ac52165a075b9da83dd065fb81b363b5dd19f16 jq-1.6-12.el9_0.3.x86_64.rpm SHA-256: f8ed5820010921854ef3db35d9512fc0fe458a9af48c4b96264e1482bff95ec3 jq-debuginfo-1.6-12.el9_0.3.i686.rpm SHA-256: 9347bd3e27839ae4fd5bde4b7de235abba63e26ceca7636ab9a94e511efbcd19 jq-debuginfo-1.6-12.el9_0.3.x86_64.rpm SHA-256: 5735e2a3588df6d3ba355a9eb20ec47a092c8bde955dc89be24d01e93a48bcf0 jq-debugsource-1.6-12.el9_0.3.i686.rpm SHA-256: b6be9dbb93afcfb838ff79c0f99d0dbc74bc4ec043effddc6a8cefc7e5699e16 jq-debugsource-1.6-12.el9_0.3.x86_64.rpm SHA-256: 551304adeb9e85357a29d927e517d5528956104f1473f2bd05b5d203fcbf80a5 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.0 SRPM jq-1.6-12.el9_0.3.src.rpm SHA-256: 6d761182e86bd0ddb909ee65edf4abf33e517cdb988342030b301a22d69f4b6f aarch64 jq-1.6-12.el9_0.3.aarch64.rpm SHA-256: 9711401478ac3685ac115e11b45759e35ac1a7988e4f5a365fe320d9a544d78a jq-debuginfo-1.6-12.el9_0.3.aarch64.rpm SHA-256: 7077bbca0cc31e26f661bc6b998a6ae5e6bd32bd0cbe60a56b2f6ee4c31a9188 jq-debugsource-1.6-12.el9_0.3.aarch64.rpm SHA-256: e45eb5dd395f13e86b5adb0478700e59e9b3753402d7965b2db1ae5c25b11d68 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.0 SRPM jq-1.6-12.el9_0.3.src.rpm SHA-256: 6d761182e86bd0ddb909ee65edf4abf33e517cdb988342030b301a22d69f4b6f s390x jq-1.6-12.el9_0.3.s390x.rpm SHA-256: 7aca0a76cc117f7cf5d8b5d05f120faf4fc8269adc966d5153731c51a570f683 jq-debuginfo-1.6-12.el9_0.3.s390x.rpm SHA-256: 05359cba6f5ba56c13f9c34322e553730069c55739ac1ad2e951eff72803f8da jq-debugsource-1.6-12.el9_0.3.s390x.rpm SHA-256: ccdebd67cf1b1169b7da0237f740940fdac1d8f5f293286345725ea3c5ff395e The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .