The jq utility in Red Hat Enterprise Linux 8 and related products contains two security flaws. CVE-2026-39979 is an out-of-bounds read vulnerability in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers. CVE-2026-40164 is a denial of service vulnerability caused by crafted JSON objects that induce hash collisions. These issues could lead to application crashes or denial of service conditions when processing malicious JSON input. Red Hat has released updated jq packages to fix these vulnerabilities across multiple supported architectures and product variants. The advisory RHSA-2026:16252 provides details and instructions for applying the update.

Successful exploitation of CVE-2026-39979 could cause out-of-bounds memory reads, potentially leading to application crashes or other undefined behavior when jq processes malformed JSON input. CVE-2026-40164 enables denial of service by causing hash collisions through crafted JSON objects, which can degrade or halt jq's operation. These vulnerabilities impact jq usage on affected Red Hat Enterprise Linux 8 systems and related products. No evidence of active exploitation in the wild has been reported.

Red Hat has released updated jq packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 8 and CodeReady Linux Builder products should apply the security update as described in Red Hat advisory RHSA-2026:16252 (https://access.redhat.com/articles/11258). Applying this update will remediate the out-of-bounds read and denial of service issues. No additional mitigation steps are indicated by the vendor advisory.