Red Hat Security Advisory: jq security update
Red Hat has issued a security advisory for jq, a command-line JSON processor, addressing two vulnerabilities: an out-of-bounds read in jv_parse_sized() triggered by non-NUL-terminated buffers (CVE-2026-39979) and a denial of service via crafted JSON objects causing hash collisions (CVE-2026-40164). These vulnerabilities affect multiple Red Hat Enterprise Linux 10 variants and related products. The advisory rates the security impact as Important (high severity). Updated packages are available to remediate these issues.
AI Analysis
Technical Summary
The jq utility in Red Hat Enterprise Linux 10 contains two security flaws. The first (CVE-2026-39979) is an out-of-bounds read vulnerability in the jv_parse_sized() function when handling error formatting for non-NUL-terminated buffers, categorized under CWE-125. The second (CVE-2026-40164) is a denial of service vulnerability caused by crafted JSON objects that induce hash collisions, categorized under CWE-341. These vulnerabilities could lead to application crashes or denial of service conditions. Red Hat has released updated jq packages to address these issues across multiple architectures and product variants.
Potential Impact
Successful exploitation of CVE-2026-39979 could cause out-of-bounds memory reads, potentially leading to application crashes or undefined behavior. CVE-2026-40164 could allow denial of service by triggering hash collisions with crafted JSON input, impacting availability of jq processing. There are no known exploits in the wild at this time. The security impact is rated as Important by Red Hat Product Security.
Mitigation Recommendations
Red Hat has released updated jq packages for Red Hat Enterprise Linux 10 and related products to fix these vulnerabilities. Users should apply the available security updates as described in the Red Hat advisory RHSA-2026:16692 and the referenced article https://access.redhat.com/articles/11258. Patch status is confirmed as fixed by Red Hat. No additional mitigation steps are indicated beyond applying the official update.
Red Hat Security Advisory: jq security update
Description
Red Hat has issued a security advisory for jq, a command-line JSON processor, addressing two vulnerabilities: an out-of-bounds read in jv_parse_sized() triggered by non-NUL-terminated buffers (CVE-2026-39979) and a denial of service via crafted JSON objects causing hash collisions (CVE-2026-40164). These vulnerabilities affect multiple Red Hat Enterprise Linux 10 variants and related products. The advisory rates the security impact as Important (high severity). Updated packages are available to remediate these issues.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The jq utility in Red Hat Enterprise Linux 10 contains two security flaws. The first (CVE-2026-39979) is an out-of-bounds read vulnerability in the jv_parse_sized() function when handling error formatting for non-NUL-terminated buffers, categorized under CWE-125. The second (CVE-2026-40164) is a denial of service vulnerability caused by crafted JSON objects that induce hash collisions, categorized under CWE-341. These vulnerabilities could lead to application crashes or denial of service conditions. Red Hat has released updated jq packages to address these issues across multiple architectures and product variants.
Potential Impact
Successful exploitation of CVE-2026-39979 could cause out-of-bounds memory reads, potentially leading to application crashes or undefined behavior. CVE-2026-40164 could allow denial of service by triggering hash collisions with crafted JSON input, impacting availability of jq processing. There are no known exploits in the wild at this time. The security impact is rated as Important by Red Hat Product Security.
Mitigation Recommendations
Red Hat has released updated jq packages for Red Hat Enterprise Linux 10 and related products to fix these vulnerabilities. Users should apply the available security updates as described in the Red Hat advisory RHSA-2026:16692 and the referenced article https://access.redhat.com/articles/11258. Patch status is confirmed as fixed by Red Hat. No additional mitigation steps are indicated beyond applying the official update.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:16692
- Cve Count
- 2
- Additional Cves
- ["CVE-2026-40164"]
- Cvss Version
- null
Threat ID: 6a1f4e85e29bf47b5007d9b2
Added to database: 6/2/2026, 9:43:33 PM
Last enriched: 6/2/2026, 9:48:20 PM
Last updated: 6/3/2026, 5:02:42 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.