jq, a command-line JSON processor included in Red Hat Enterprise Linux 8.8 and related update services, contains two vulnerabilities: an out-of-bounds read in the jv_parse_sized() function when handling non-NUL-terminated buffers (CVE-2026-39979), and a denial of service vulnerability via crafted JSON objects causing hash collisions (CVE-2026-40164). These issues could lead to application crashes or denial of service conditions. Red Hat Product Security has released updated jq packages to fix these vulnerabilities, rated with an important security impact. The advisory covers multiple Red Hat Enterprise Linux 8.8 variants and architectures. No CVSS scores are provided in the advisory, and no exploits are known to be active in the wild.

The out-of-bounds read vulnerability can cause jq to read memory beyond allocated buffers, potentially leading to crashes or undefined behavior. The denial of service vulnerability allows an attacker to craft JSON input that causes hash collisions, resulting in jq consuming excessive resources and becoming unresponsive. Both vulnerabilities impact jq's reliability and availability when processing maliciously crafted JSON data. There are no reports of exploitation in the wild at this time.

Red Hat has released updated jq packages for Red Hat Enterprise Linux 8.8 and related update services that address these vulnerabilities. Users should apply these official security updates promptly following Red Hat's published instructions (https://access.redhat.com/articles/11258). Since a vendor-provided fix is available, applying the update is the recommended remediation. No additional mitigation steps are indicated by the vendor advisory.