Red Hat Product Security has released an important security advisory (RHSA-2026:16693) for jq, a lightweight JSON processor used in Red Hat Enterprise Linux 9 and related products. The advisory addresses two vulnerabilities: CVE-2026-39979, an out-of-bounds read in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers, and CVE-2026-40164, a denial of service vulnerability caused by crafted JSON objects that induce hash collisions. These issues could potentially lead to application crashes or denial of service conditions when processing malicious JSON input. Updated jq packages have been made available for multiple architectures including x86_64, s390x, ppc64le, and aarch64. The advisory references detailed package updates and instructions for applying the fixes. No CVSS scores are provided, and no exploits are known to be active in the wild at this time.

The vulnerabilities could lead to out-of-bounds memory reads and denial of service conditions when jq processes specially crafted JSON data. This may cause jq to crash or become unresponsive, potentially impacting applications or scripts that rely on jq for JSON processing. There is no indication of remote code execution or data corruption beyond denial of service. No known active exploitation has been reported.

Red Hat has released updated jq packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 and CodeReady Linux Builder products should apply the available security updates as described in Red Hat advisory RHSA-2026:16693 and the referenced article https://access.redhat.com/articles/11258. Applying these updates will remediate the vulnerabilities. No additional mitigation steps are indicated by the vendor advisory.