An important update for the `jq` JSON processor addresses two vulnerabilities: an out-of-bounds read in `jv_parse_sized()` (CVE-2026-39979, CVSS 6.5 MEDIUM) and a denial of service via crafted JSON objects causing hash collisions (CVE-2026-40164, CVSS 7.5 HIGH). The out-of-bounds read affects jqlang jq versions prior to the fixed release dated 2026-04-12. Red Hat has rated this update as Important for Red Hat Enterprise Linux 10.0 Extended Update Support and provides patched packages through its standard channels.
Red Hat Product Errata RHSA-2026:18040 - Security Advisory Issued: 2026-05-18 Updated: 2026-05-18 RHSA-2026:18040 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 x86_64 jq-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: 98398f94f03957b12a3483ab04eb8e6ea9523e1160a13ffe3e95d03469ed8a59 jq-debuginfo-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: 74aad86ae5d049ae92335efde231d3496583b804c8084dd547a1eb07689e5e8e jq-debugsource-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: f10c1cb8cfaeacdb1ae87b1b10e2579d8aa84003f35a74bdbe97e4793deaf18d Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 s390x jq-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 3b4b97287287913a642d84f5468a3645cce094a4e3f98bdbb28d40071163401d jq-debuginfo-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 0f66bf7cdb2d99d84a94ccda6828bf5b7aac1e8546bb53a0887f967e0debe221 jq-debugsource-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 3d8434081f2173f011f4c3193f6491278651e90f2d008befedc5779366957140 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 ppc64le jq-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: e2ed48e08937205150fad8d627f9301f1a4f01d539a856d3bd65de19d2480aec jq-debuginfo-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: 1e71376e0aaebbf3a9102b1e8bbac899fabf4f58dabf533062b0e75a6e6c52bc jq-debugsource-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: f902181bb1d765c7d8312344ecce8fe21e689ddf1960b4745184a81516f1462e Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 aarch64 jq-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: 83dc21600fb98324c25f9f7428c867504c81aa85773e27cad4c5fbcca8b336af jq-debuginfo-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: b9b727e1d90ad0f8f36782d854e38bac55671d5d2221a68117244d8fb88e88a0 jq-debugsource-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: 2959d7ef2d381573fdcb192975c8f1f52cdd54325f23e9b6a6d8a93cb59c5d92 Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 SRPM x86_64 jq-debuginfo-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: 74aad86ae5d049ae92335efde231d3496583b804c8084dd547a1eb07689e5e8e jq-debugsource-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: f10c1cb8cfaeacdb1ae87b1b10e2579d8aa84003f35a74bdbe97e4793deaf18d jq-devel-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: d296e2518b7527e49c846e54f1acbe212398e434f451aee438f4c366be74bd76 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 SRPM ppc64le jq-debuginfo-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: 1e71376e0aaebbf3a9102b1e8bbac899fabf4f58dabf533062b0e75a6e6c52bc jq-debugsource-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: f902181bb1d765c7d8312344ecce8fe21e689ddf1960b4745184a81516f1462e jq-devel-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: 10397b5a1a68100f64316c73017bc0283c898c899f1fcc518c2f0e1f75da7b26 Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 SRPM s390x jq-debuginfo-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 0f66bf7cdb2d99d84a94ccda6828bf5b7aac1e8546bb53a0887f967e0debe221 jq-debugsource-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 3d8434081f2173f011f4c3193f6491278651e90f2d008befedc5779366957140 jq-devel-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 8976a040bc9686310034d103037fb80bd9351e2628d6b5263082685c645fc66d Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 SRPM aarch64 jq-debuginfo-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: b9b727e1d90ad0f8f36782d854e38bac55671d5d2221a68117244d8fb88e88a0 jq-debugsource-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: 2959d7ef2d381573fdcb192975c8f1f52cdd54325f23e9b6a6d8a93cb59c5d92 jq-devel-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: 5b167b18675c168c19482b58a1ac939be6f87c05be9b93e985bba35e1030d5cd Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 aarch64 jq-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: 83dc21600fb98324c25f9f7428c867504c81aa85773e27cad4c5fbcca8b336af jq-debuginfo-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: b9b727e1d90ad0f8f36782d854e38bac55671d5d2221a68117244d8fb88e88a0 jq-debugsource-1.7.1-8.el10_0.3.aarch64.rpm SHA-256: 2959d7ef2d381573fdcb192975c8f1f52cdd54325f23e9b6a6d8a93cb59c5d92 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 s390x jq-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 3b4b97287287913a642d84f5468a3645cce094a4e3f98bdbb28d40071163401d jq-debuginfo-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 0f66bf7cdb2d99d84a94ccda6828bf5b7aac1e8546bb53a0887f967e0debe221 jq-debugsource-1.7.1-8.el10_0.3.s390x.rpm SHA-256: 3d8434081f2173f011f4c3193f6491278651e90f2d008befedc5779366957140 Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 ppc64le jq-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: e2ed48e08937205150fad8d627f9301f1a4f01d539a856d3bd65de19d2480aec jq-debuginfo-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: 1e71376e0aaebbf3a9102b1e8bbac899fabf4f58dabf533062b0e75a6e6c52bc jq-debugsource-1.7.1-8.el10_0.3.ppc64le.rpm SHA-256: f902181bb1d765c7d8312344ecce8fe21e689ddf1960b4745184a81516f1462e Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 SRPM jq-1.7.1-8.el10_0.3.src.rpm SHA-256: 4d62660a6339edec333ae7628dfea689d0d1891870fb668a2b4cb083336a89a8 x86_64 jq-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: 98398f94f03957b12a3483ab04eb8e6ea9523e1160a13ffe3e95d03469ed8a59 jq-debuginfo-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: 74aad86ae5d049ae92335efde231d3496583b804c8084dd547a1eb07689e5e8e jq-debugsource-1.7.1-8.el10_0.3.x86_64.rpm SHA-256: f10c1cb8cfaeacdb1ae87b1b10e2579d8aa84003f35a74bdbe97e4793deaf18d The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .