Red Hat Security Advisory: jq security update
Two security vulnerabilities have been identified in jq, a command-line JSON processor used in Red Hat Enterprise Linux 8. 6 variants. The first vulnerability (CVE-2026-39979) involves an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers. The second vulnerability (CVE-2026-40164) allows denial of service via crafted JSON objects causing hash collisions. Red Hat has released an important security update addressing these issues for affected Red Hat Enterprise Linux 8. 6 products. No CVSS scores are provided in the advisory. No known exploits in the wild have been reported. Users should apply the available update to mitigate these vulnerabilities.
AI Analysis
Technical Summary
jq is a lightweight command-line JSON processor included in Red Hat Enterprise Linux 8.6 and related variants. Two security issues have been fixed: an out-of-bounds read in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers (CVE-2026-39979), and a denial of service vulnerability caused by crafted JSON objects that produce hash collisions (CVE-2026-40164). These vulnerabilities could lead to application crashes or denial of service conditions. Red Hat has issued an important security advisory (RHSA-2026:18047) with updated jq packages to resolve these issues. The advisory does not provide CVSS scores but rates the impact as important (high severity). No exploits are currently known in the wild.
Potential Impact
The out-of-bounds read vulnerability may cause jq to read memory beyond allocated buffers, potentially leading to crashes or undefined behavior. The denial of service vulnerability can be triggered by specially crafted JSON input causing hash collisions, resulting in resource exhaustion or application unavailability. Both vulnerabilities affect jq usage on Red Hat Enterprise Linux 8.6 variants. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Red Hat has released updated jq packages for Red Hat Enterprise Linux 8.6 and related variants that address these vulnerabilities. Users should apply these official updates promptly to remediate the issues. Detailed update instructions are available in the Red Hat advisory (https://access.redhat.com/articles/11258). No additional mitigation steps are indicated or required beyond applying the provided patches.
Red Hat Security Advisory: jq security update
Description
Two security vulnerabilities have been identified in jq, a command-line JSON processor used in Red Hat Enterprise Linux 8. 6 variants. The first vulnerability (CVE-2026-39979) involves an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers. The second vulnerability (CVE-2026-40164) allows denial of service via crafted JSON objects causing hash collisions. Red Hat has released an important security update addressing these issues for affected Red Hat Enterprise Linux 8. 6 products. No CVSS scores are provided in the advisory. No known exploits in the wild have been reported. Users should apply the available update to mitigate these vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
jq is a lightweight command-line JSON processor included in Red Hat Enterprise Linux 8.6 and related variants. Two security issues have been fixed: an out-of-bounds read in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers (CVE-2026-39979), and a denial of service vulnerability caused by crafted JSON objects that produce hash collisions (CVE-2026-40164). These vulnerabilities could lead to application crashes or denial of service conditions. Red Hat has issued an important security advisory (RHSA-2026:18047) with updated jq packages to resolve these issues. The advisory does not provide CVSS scores but rates the impact as important (high severity). No exploits are currently known in the wild.
Potential Impact
The out-of-bounds read vulnerability may cause jq to read memory beyond allocated buffers, potentially leading to crashes or undefined behavior. The denial of service vulnerability can be triggered by specially crafted JSON input causing hash collisions, resulting in resource exhaustion or application unavailability. Both vulnerabilities affect jq usage on Red Hat Enterprise Linux 8.6 variants. There are no reports of active exploitation in the wild at this time.
Mitigation Recommendations
Red Hat has released updated jq packages for Red Hat Enterprise Linux 8.6 and related variants that address these vulnerabilities. Users should apply these official updates promptly to remediate the issues. Detailed update instructions are available in the Red Hat advisory (https://access.redhat.com/articles/11258). No additional mitigation steps are indicated or required beyond applying the provided patches.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:18047
- Cve Count
- 2
- Additional Cves
- ["CVE-2026-40164"]
- Cvss Version
- null
Threat ID: 6a1f4e85e29bf47b5007dc7c
Added to database: 6/2/2026, 9:43:33 PM
Last enriched: 6/2/2026, 9:49:50 PM
Last updated: 6/3/2026, 4:58:16 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.