An Important update for the `jq` JSON processor addresses two vulnerabilities: an out-of-bounds read in `jv_parse_sized()` (CVE-2026-39979, CVSS 6.5 MEDIUM) and a Denial of Service via hash collisions from crafted JSON objects (CVE-2026-40164, CVSS 7.5 HIGH). According to NVD data, `jqlang jq` versions prior to the release dated 2026-04-12 are affected. Red Hat has released patched packages for its supported RHEL 8.8 streams, and users should apply the update referenced in RHSA-2026:18046.
Red Hat Product Errata RHSA-2026:18046 - Security Advisory Issued: 2026-05-18 Updated: 2026-05-18 RHSA-2026:18046 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions and Red Hat Enterprise Linux 8.8 Telecommunications Update Service. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 x86_64 Red Hat Enterprise Linux Server - TUS 8.8 x86_64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 x86_64 Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support Extension 8.8 SRPM jq-1.6-6.el8_8.4.src.rpm SHA-256: 8ed7207aff4917aab7ea6a034b4311adb4ca776a0abaa7e9d47c3dcdb03aa637 x86_64 jq-1.6-6.el8_8.4.i686.rpm SHA-256: 220535758615a72c6de11e6efd0d5e3b106372f9764ae3468a10025e0980c4f3 jq-1.6-6.el8_8.4.x86_64.rpm SHA-256: 6e165470ff151d6909666a582c765f027b81fc5460a05ca9ee29814fbafd5c5e jq-debuginfo-1.6-6.el8_8.4.i686.rpm SHA-256: a7cfd61ab8a431e2caeda2411ace51e67881a777b144e2f3e49625077ef71452 jq-debuginfo-1.6-6.el8_8.4.x86_64.rpm SHA-256: 80ff150702f25ce4f2e7962ae6ad403face57f206a37c656809af15bbdae2054 jq-debugsource-1.6-6.el8_8.4.i686.rpm SHA-256: 2f37f4122110d13dc7a4c0f434f133d38796603588777637e80493227880a3b1 jq-debugsource-1.6-6.el8_8.4.x86_64.rpm SHA-256: 15d81611436b057f633165197888d1c285583a62c8010883e189114a387e4e06 Red Hat Enterprise Linux Server - TUS 8.8 SRPM jq-1.6-6.el8_8.4.src.rpm SHA-256: 8ed7207aff4917aab7ea6a034b4311adb4ca776a0abaa7e9d47c3dcdb03aa637 x86_64 jq-1.6-6.el8_8.4.i686.rpm SHA-256: 220535758615a72c6de11e6efd0d5e3b106372f9764ae3468a10025e0980c4f3 jq-1.6-6.el8_8.4.x86_64.rpm SHA-256: 6e165470ff151d6909666a582c765f027b81fc5460a05ca9ee29814fbafd5c5e jq-debuginfo-1.6-6.el8_8.4.i686.rpm SHA-256: a7cfd61ab8a431e2caeda2411ace51e67881a777b144e2f3e49625077ef71452 jq-debuginfo-1.6-6.el8_8.4.x86_64.rpm SHA-256: 80ff150702f25ce4f2e7962ae6ad403face57f206a37c656809af15bbdae2054 jq-debugsource-1.6-6.el8_8.4.i686.rpm SHA-256: 2f37f4122110d13dc7a4c0f434f133d38796603588777637e80493227880a3b1 jq-debugsource-1.6-6.el8_8.4.x86_64.rpm SHA-256: 15d81611436b057f633165197888d1c285583a62c8010883e189114a387e4e06 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.8 SRPM jq-1.6-6.el8_8.4.src.rpm SHA-256: 8ed7207aff4917aab7ea6a034b4311adb4ca776a0abaa7e9d47c3dcdb03aa637 ppc64le jq-1.6-6.el8_8.4.ppc64le.rpm SHA-256: df725b5fc28450231542a069b94622780f1a68fe7f88c56f3bdb2365399a313b jq-debuginfo-1.6-6.el8_8.4.ppc64le.rpm SHA-256: 90142df0681bbbfd8b758750e228b60313ef253d983b0c76c2f635bce6d0f9ac jq-debugsource-1.6-6.el8_8.4.ppc64le.rpm SHA-256: 2e20a89e73dbb015ce964a3e6545f287ecd27f417a51ca2750397367af44887b Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.8 SRPM jq-1.6-6.el8_8.4.src.rpm SHA-256: 8ed7207aff4917aab7ea6a034b4311adb4ca776a0abaa7e9d47c3dcdb03aa637 x86_64 jq-1.6-6.el8_8.4.i686.rpm SHA-256: 220535758615a72c6de11e6efd0d5e3b106372f9764ae3468a10025e0980c4f3 jq-1.6-6.el8_8.4.x86_64.rpm SHA-256: 6e165470ff151d6909666a582c765f027b81fc5460a05ca9ee29814fbafd5c5e jq-debuginfo-1.6-6.el8_8.4.i686.rpm SHA-256: a7cfd61ab8a431e2caeda2411ace51e67881a777b144e2f3e49625077ef71452 jq-debuginfo-1.6-6.el8_8.4.x86_64.rpm SHA-256: 80ff150702f25ce4f2e7962ae6ad403face57f206a37c656809af15bbdae2054 jq-debugsource-1.6-6.el8_8.4.i686.rpm SHA-256: 2f37f4122110d13dc7a4c0f434f133d38796603588777637e80493227880a3b1 jq-debugsource-1.6-6.el8_8.4.x86_64.rpm SHA-256: 15d81611436b057f633165197888d1c285583a62c8010883e189114a387e4e06 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .