Red Hat Product Security issued an advisory (RHSA-2026:18044) for jq, a lightweight JSON processor, addressing two vulnerabilities: CVE-2026-39979, an out-of-bounds read in jv_parse_sized() triggered by error formatting of non-NUL-terminated buffers, and CVE-2026-40164, a denial of service vulnerability caused by crafted JSON objects that induce hash collisions. These vulnerabilities affect Red Hat Enterprise Linux 9.2 and related packages across multiple architectures including x86_64, ppc64le, aarch64, and s390x. The advisory classifies the update as important and provides updated package versions to remediate the issues. The vendor advisory does not include CVSS scores but confirms the security impact and provides references for further details. No exploits are currently known in the wild.

The out-of-bounds read (CVE-2026-39979) could lead to potential memory safety issues when jq processes malformed JSON input that is not NUL-terminated. The denial of service vulnerability (CVE-2026-40164) could allow an attacker to cause jq to consume excessive resources or crash by submitting specially crafted JSON objects that cause hash collisions. These issues could affect systems using vulnerable versions of jq, potentially impacting applications or scripts that rely on jq for JSON processing. No known exploitation in the wild has been reported at this time.

Red Hat has released an official security update for jq that addresses both vulnerabilities. Users of affected Red Hat Enterprise Linux 9.2 versions and related packages should apply the update as soon as possible following Red Hat's published instructions (https://access.redhat.com/articles/11258). Since this is a traditional software package and not a cloud service, remediation requires manual patching by system administrators. No additional mitigation steps are indicated beyond applying the vendor-provided update.