Red Hat Security Advisory: jq security update
Two security vulnerabilities were identified in jq, a command-line JSON processor included in Red Hat Enterprise Linux 10. The first is an out-of-bounds read in the jv_parse_sized() function triggered by error formatting for non-NUL-terminated buffers (CVE-2026-39979). The second is a denial of service vulnerability caused by crafted JSON objects that induce hash collisions (CVE-2026-40164). Red Hat has issued an important security advisory and released updated jq packages addressing these issues. The vulnerabilities affect multiple architectures and variants of Red Hat Enterprise Linux 10 and CodeReady Linux Builder 10. No known exploits are reported in the wild. Users are advised to apply the provided updates to remediate these vulnerabilities.
AI Analysis
Technical Summary
jq, a lightweight JSON processor used in Red Hat Enterprise Linux 10, contains two vulnerabilities: an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers (CVE-2026-39979), and a denial of service vulnerability via crafted JSON objects that cause hash collisions (CVE-2026-40164). These issues could lead to memory safety problems and service disruption. Red Hat has released updated jq packages for multiple architectures and product variants to fix these vulnerabilities as detailed in advisory RHSA-2026:19151.
Potential Impact
The out-of-bounds read vulnerability could cause a program crash or memory corruption when processing malformed JSON input. The denial of service vulnerability allows an attacker to cause jq to consume excessive resources or crash by submitting specially crafted JSON objects that trigger hash collisions. Both vulnerabilities impact jq usage on affected Red Hat Enterprise Linux 10 systems. No evidence of exploitation in the wild has been reported.
Mitigation Recommendations
Red Hat has released updated jq packages that address these vulnerabilities. Users running affected versions of Red Hat Enterprise Linux 10 and related products should apply the updates as described in Red Hat advisory RHSA-2026:19151 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended remediation. Patch status is confirmed as available from the vendor advisory.
Red Hat Security Advisory: jq security update
Description
Two security vulnerabilities were identified in jq, a command-line JSON processor included in Red Hat Enterprise Linux 10. The first is an out-of-bounds read in the jv_parse_sized() function triggered by error formatting for non-NUL-terminated buffers (CVE-2026-39979). The second is a denial of service vulnerability caused by crafted JSON objects that induce hash collisions (CVE-2026-40164). Red Hat has issued an important security advisory and released updated jq packages addressing these issues. The vulnerabilities affect multiple architectures and variants of Red Hat Enterprise Linux 10 and CodeReady Linux Builder 10. No known exploits are reported in the wild. Users are advised to apply the provided updates to remediate these vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
jq, a lightweight JSON processor used in Red Hat Enterprise Linux 10, contains two vulnerabilities: an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers (CVE-2026-39979), and a denial of service vulnerability via crafted JSON objects that cause hash collisions (CVE-2026-40164). These issues could lead to memory safety problems and service disruption. Red Hat has released updated jq packages for multiple architectures and product variants to fix these vulnerabilities as detailed in advisory RHSA-2026:19151.
Potential Impact
The out-of-bounds read vulnerability could cause a program crash or memory corruption when processing malformed JSON input. The denial of service vulnerability allows an attacker to cause jq to consume excessive resources or crash by submitting specially crafted JSON objects that trigger hash collisions. Both vulnerabilities impact jq usage on affected Red Hat Enterprise Linux 10 systems. No evidence of exploitation in the wild has been reported.
Mitigation Recommendations
Red Hat has released updated jq packages that address these vulnerabilities. Users running affected versions of Red Hat Enterprise Linux 10 and related products should apply the updates as described in Red Hat advisory RHSA-2026:19151 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended remediation. Patch status is confirmed as available from the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:19151
- Cve Count
- 2
- Additional Cves
- ["CVE-2026-40164"]
- Cvss Version
- null
Threat ID: 6a1f4e85e29bf47b5007dc4b
Added to database: 6/2/2026, 9:43:33 PM
Last enriched: 6/2/2026, 9:48:41 PM
Last updated: 6/3/2026, 5:04:17 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.