This security update addresses two vulnerabilities in the jq JSON processor: an out-of-bounds read in `jv_parse_sized()` (CVE-2026-39979, CVSS 6.5 MEDIUM) and a denial-of-service via hash collisions from crafted JSON objects (CVE-2026-40164, CVSS 7.5 HIGH). According to NVD data, jqlang jq versions prior to the release dated 2026-04-12 are affected. The fix is included in the updated packages provided by Red Hat for its supported Enterprise Linux 9.2 streams.
Red Hat Product Errata RHSA-2026:18044 - Security Advisory Issued: 2026-05-18 Updated: 2026-05-18 RHSA-2026:18044 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux Server - AUS 9.2 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 s390x Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux Server - AUS 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d x86_64 jq-1.6-15.el9_2.3.i686.rpm SHA-256: 11f2da10e952826ed4678467e090548cf1904bbdd507b8e8d6b0a30616ea5027 jq-1.6-15.el9_2.3.x86_64.rpm SHA-256: 85864d9cd56825840fe24b8e1b215e66972ae95cf78366032ba36cdd2cad1829 jq-debuginfo-1.6-15.el9_2.3.i686.rpm SHA-256: aa8970f2ee38c2253ac7e3bd46069eadb4962014886612903e641a0d1640e2d1 jq-debuginfo-1.6-15.el9_2.3.x86_64.rpm SHA-256: f29a450977b4febdb64cae2326ea445e9fb843207a969ecd3946faa2f8ef6db7 jq-debugsource-1.6-15.el9_2.3.i686.rpm SHA-256: e5987eba4d800e3aa3c51a5d4f33af808f24e978b2dd4fb787e759108626d4c6 jq-debugsource-1.6-15.el9_2.3.x86_64.rpm SHA-256: 68cb3de25771d04e0eb7801741e86d05a2615e666e0783db1721d2ea5d8432f3 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d ppc64le jq-1.6-15.el9_2.3.ppc64le.rpm SHA-256: c523ca9eb473d12f17b309f908a225a3e4a79777df2ff0381af8ff7396954c96 jq-debuginfo-1.6-15.el9_2.3.ppc64le.rpm SHA-256: c64c9a42ac7d241beffeaeafa35a056d7ee41b2c8d7af51ea457d81c53891c7e jq-debugsource-1.6-15.el9_2.3.ppc64le.rpm SHA-256: e0fea9913ec662bfb3784c24a52b622950310a157ecd1950dd5375b317c127a1 Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d x86_64 jq-1.6-15.el9_2.3.i686.rpm SHA-256: 11f2da10e952826ed4678467e090548cf1904bbdd507b8e8d6b0a30616ea5027 jq-1.6-15.el9_2.3.x86_64.rpm SHA-256: 85864d9cd56825840fe24b8e1b215e66972ae95cf78366032ba36cdd2cad1829 jq-debuginfo-1.6-15.el9_2.3.i686.rpm SHA-256: aa8970f2ee38c2253ac7e3bd46069eadb4962014886612903e641a0d1640e2d1 jq-debuginfo-1.6-15.el9_2.3.x86_64.rpm SHA-256: f29a450977b4febdb64cae2326ea445e9fb843207a969ecd3946faa2f8ef6db7 jq-debugsource-1.6-15.el9_2.3.i686.rpm SHA-256: e5987eba4d800e3aa3c51a5d4f33af808f24e978b2dd4fb787e759108626d4c6 jq-debugsource-1.6-15.el9_2.3.x86_64.rpm SHA-256: 68cb3de25771d04e0eb7801741e86d05a2615e666e0783db1721d2ea5d8432f3 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d aarch64 jq-1.6-15.el9_2.3.aarch64.rpm SHA-256: f196bbd6c5085d526d97af6566a64018907620813d7101683a7430d70b53ce5c jq-debuginfo-1.6-15.el9_2.3.aarch64.rpm SHA-256: 2e62b7f0a74abec52be784f1d87c23c114d57e87cc970ea319641e802ba9ffad jq-debugsource-1.6-15.el9_2.3.aarch64.rpm SHA-256: 695e016fecae5dfb1ad5ec495414e126c66605df715530fa620ce0a9fdca7c5d Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d s390x jq-1.6-15.el9_2.3.s390x.rpm SHA-256: fc4b5c367052d17c33f18aa59693608afdcb2d7c8cdac2dc4305919d28e4a761 jq-debuginfo-1.6-15.el9_2.3.s390x.rpm SHA-256: a9b51d2b28ce1f55648ec53270d8a35074a17f489e6f4854d0eaa1d904ab8715 jq-debugsource-1.6-15.el9_2.3.s390x.rpm SHA-256: a4abd46d8f5f32ed0e882902880a954e569a141f06e8e7ec8832970d8822bd21 Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d x86_64 jq-1.6-15.el9_2.3.i686.rpm SHA-256: 11f2da10e952826ed4678467e090548cf1904bbdd507b8e8d6b0a30616ea5027 jq-1.6-15.el9_2.3.x86_64.rpm SHA-256: 85864d9cd56825840fe24b8e1b215e66972ae95cf78366032ba36cdd2cad1829 jq-debuginfo-1.6-15.el9_2.3.i686.rpm SHA-256: aa8970f2ee38c2253ac7e3bd46069eadb4962014886612903e641a0d1640e2d1 jq-debuginfo-1.6-15.el9_2.3.x86_64.rpm SHA-256: f29a450977b4febdb64cae2326ea445e9fb843207a969ecd3946faa2f8ef6db7 jq-debugsource-1.6-15.el9_2.3.i686.rpm SHA-256: e5987eba4d800e3aa3c51a5d4f33af808f24e978b2dd4fb787e759108626d4c6 jq-debugsource-1.6-15.el9_2.3.x86_64.rpm SHA-256: 68cb3de25771d04e0eb7801741e86d05a2615e666e0783db1721d2ea5d8432f3 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d aarch64 jq-1.6-15.el9_2.3.aarch64.rpm SHA-256: f196bbd6c5085d526d97af6566a64018907620813d7101683a7430d70b53ce5c jq-debuginfo-1.6-15.el9_2.3.aarch64.rpm SHA-256: 2e62b7f0a74abec52be784f1d87c23c114d57e87cc970ea319641e802ba9ffad jq-debugsource-1.6-15.el9_2.3.aarch64.rpm SHA-256: 695e016fecae5dfb1ad5ec495414e126c66605df715530fa620ce0a9fdca7c5d Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d ppc64le jq-1.6-15.el9_2.3.ppc64le.rpm SHA-256: c523ca9eb473d12f17b309f908a225a3e4a79777df2ff0381af8ff7396954c96 jq-debuginfo-1.6-15.el9_2.3.ppc64le.rpm SHA-256: c64c9a42ac7d241beffeaeafa35a056d7ee41b2c8d7af51ea457d81c53891c7e jq-debugsource-1.6-15.el9_2.3.ppc64le.rpm SHA-256: e0fea9913ec662bfb3784c24a52b622950310a157ecd1950dd5375b317c127a1 Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.2 SRPM jq-1.6-15.el9_2.3.src.rpm SHA-256: 6d2b144809ae66897d75cddf9bd6c10d60e01e050ccdaf6ddc04bda20bb3de5d s390x jq-1.6-15.el9_2.3.s390x.rpm SHA-256: fc4b5c367052d17c33f18aa59693608afdcb2d7c8cdac2dc4305919d28e4a761 jq-debuginfo-1.6-15.el9_2.3.s390x.rpm SHA-256: a9b51d2b28ce1f55648ec53270d8a35074a17f489e6f4854d0eaa1d904ab8715 jq-debugsource-1.6-15.el9_2.3.s390x.rpm SHA-256: a4abd46d8f5f32ed0e882902880a954e569a141f06e8e7ec8832970d8822bd21 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .