The jq JSON processor in Red Hat Enterprise Linux 9.0 contains two security flaws: an out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) and a denial of service vulnerability caused by hash collisions from crafted JSON objects (CVE-2026-40164). These issues could lead to application crashes or denial of service conditions when processing malicious JSON input. Red Hat has released updated jq packages for multiple architectures (x86_64, ppc64le, aarch64, s390x) to address these vulnerabilities. The advisory classifies the impact as important and high severity. The vendor provides detailed update instructions and package downloads via their security advisory portal.

The out-of-bounds read vulnerability may cause jq to read memory beyond allocated buffers, potentially leading to crashes or undefined behavior. The denial of service vulnerability allows attackers to craft JSON input that triggers hash collisions, causing jq to consume excessive resources and become unresponsive. Both vulnerabilities impact jq's reliability and availability when processing untrusted JSON data. There are no reports of exploitation in the wild. The vulnerabilities affect Red Hat Enterprise Linux 9.0 and related jq packages across multiple hardware architectures.

Red Hat has released updated jq packages that fix these vulnerabilities. Users of affected Red Hat Enterprise Linux 9.0 versions should apply the security update as described in Red Hat advisory RHSA-2026:18045 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended remediation. No additional mitigation steps are indicated by the vendor advisory. Patch status is confirmed as official fix available.