Red Hat Security Advisory: jq security update
Red Hat has issued a security advisory for the jq command-line JSON processor addressing two vulnerabilities: an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers (CVE-2026-39979), and a denial of service caused by crafted JSON objects triggering hash collisions (CVE-2026-40164). These issues affect multiple Red Hat Enterprise Linux 9. 4 Extended Update Support variants and related products. The advisory rates the impact as Important and provides updated packages to remediate the vulnerabilities. No CVSS scores are provided in the advisory. No known exploits in the wild have been reported at this time.
AI Analysis
Technical Summary
The jq utility, used for processing JSON data on the command line, contains two security flaws. The first (CVE-2026-39979) is an out-of-bounds read vulnerability in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers, which could lead to memory safety issues. The second (CVE-2026-40164) is a denial of service vulnerability caused by specially crafted JSON objects that induce hash collisions, potentially causing jq to consume excessive resources or crash. Red Hat has released updated jq packages for Red Hat Enterprise Linux 9.4 Extended Update Support and related products to address these vulnerabilities.
Potential Impact
Successful exploitation of CVE-2026-39979 could result in out-of-bounds memory reads, which may lead to application crashes or potentially expose sensitive memory contents. CVE-2026-40164 could allow an attacker to cause denial of service by supplying crafted JSON input that triggers hash collisions, leading to resource exhaustion or jq process termination. The advisory rates the overall security impact as Important. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Red Hat has released updated jq packages for affected Red Hat Enterprise Linux 9.4 Extended Update Support and related products. Users should apply these official updates promptly to remediate the vulnerabilities. For detailed instructions on applying the update, refer to the Red Hat article at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor advisory.
Red Hat Security Advisory: jq security update
Description
Red Hat has issued a security advisory for the jq command-line JSON processor addressing two vulnerabilities: an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers (CVE-2026-39979), and a denial of service caused by crafted JSON objects triggering hash collisions (CVE-2026-40164). These issues affect multiple Red Hat Enterprise Linux 9. 4 Extended Update Support variants and related products. The advisory rates the impact as Important and provides updated packages to remediate the vulnerabilities. No CVSS scores are provided in the advisory. No known exploits in the wild have been reported at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jq utility, used for processing JSON data on the command line, contains two security flaws. The first (CVE-2026-39979) is an out-of-bounds read vulnerability in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers, which could lead to memory safety issues. The second (CVE-2026-40164) is a denial of service vulnerability caused by specially crafted JSON objects that induce hash collisions, potentially causing jq to consume excessive resources or crash. Red Hat has released updated jq packages for Red Hat Enterprise Linux 9.4 Extended Update Support and related products to address these vulnerabilities.
Potential Impact
Successful exploitation of CVE-2026-39979 could result in out-of-bounds memory reads, which may lead to application crashes or potentially expose sensitive memory contents. CVE-2026-40164 could allow an attacker to cause denial of service by supplying crafted JSON input that triggers hash collisions, leading to resource exhaustion or jq process termination. The advisory rates the overall security impact as Important. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Red Hat has released updated jq packages for affected Red Hat Enterprise Linux 9.4 Extended Update Support and related products. Users should apply these official updates promptly to remediate the vulnerabilities. For detailed instructions on applying the update, refer to the Red Hat article at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:18043
- Cve Count
- 2
- Additional Cves
- ["CVE-2026-40164"]
- Cvss Version
- null
Threat ID: 6a1f4e85e29bf47b5007dc75
Added to database: 6/2/2026, 9:43:33 PM
Last enriched: 6/2/2026, 9:49:37 PM
Last updated: 6/3/2026, 5:02:17 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.