The jq command-line JSON processor included in Red Hat Enterprise Linux 9.6 Extended Update Support contains two vulnerabilities: an out-of-bounds read (CWE-125) in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers, and a denial of service (CWE-341) vulnerability caused by crafted JSON objects that produce hash collisions. These issues could lead to application crashes or denial of service conditions when processing malicious JSON input. Red Hat has released updated jq packages addressing these vulnerabilities across multiple supported architectures and product variants. The advisory RHSA-2026:18042 provides detailed information and instructions for applying the update.

Successful exploitation of CVE-2026-39979 could cause out-of-bounds memory reads, potentially leading to application crashes or unexpected behavior when jq processes malformed JSON data. CVE-2026-40164 allows denial of service via specially crafted JSON objects that cause hash collisions, potentially impacting availability of services relying on jq for JSON processing. No known active exploits have been reported. The vulnerabilities affect multiple Red Hat Enterprise Linux 9.6 Extended Update Support variants and related products.

Red Hat has released updated jq packages that fix these vulnerabilities. Users of affected Red Hat Enterprise Linux 9.6 Extended Update Support and related products should apply the security update as detailed in Red Hat advisory RHSA-2026:18042 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended remediation. No additional mitigation steps are indicated by the vendor advisory.