Red Hat Product Security issued an advisory (RHSA-2026:19365) for jq, a JSON processor utility, addressing two vulnerabilities: an out-of-bounds read (CVE-2026-39979) triggered by error formatting of non-NUL-terminated buffers in jv_parse_sized(), and a denial of service (CVE-2026-40164) caused by crafted JSON objects that induce hash collisions. These vulnerabilities affect Red Hat Enterprise Linux 9 and related products across multiple architectures. The advisory rates the update as Important and provides updated package versions to remediate the issues. Detailed CVSS scores are not provided in the advisory. The vendor recommends applying the update as described in their official documentation.

The out-of-bounds read vulnerability could potentially lead to application crashes or undefined behavior when jq processes malformed JSON input. The denial of service vulnerability allows an attacker to cause jq to consume excessive resources or crash by submitting specially crafted JSON data that triggers hash collisions. Both issues could disrupt normal jq operations but no evidence of active exploitation is reported. The impact is rated as Important by Red Hat, indicating a significant security concern requiring timely remediation.

Red Hat has released updated jq packages for Red Hat Enterprise Linux 9 and related products that address these vulnerabilities. Users should apply the official security update as soon as possible following the guidance at https://access.redhat.com/articles/11258. Since this is not a cloud service, remediation requires manual update by system administrators. There are no vendor statements indicating that no action is required or that the issue is already mitigated without patching. Therefore, applying the official patch is the recommended mitigation.