jq is a lightweight command-line JSON processor included in Red Hat Enterprise Linux 8.4. Two security issues have been fixed: an out-of-bounds read in the jv_parse_sized() function triggered by error formatting of non-NUL-terminated buffers (CVE-2026-39979), and a denial of service vulnerability caused by crafted JSON objects that induce hash collisions (CVE-2026-40164). These vulnerabilities could lead to memory safety issues and service disruption respectively. Red Hat Product Security has rated these issues as important and released updated jq packages to address them. The advisory RHSA-2026:18048 provides details and links to updated packages for affected Red Hat Enterprise Linux 8.4 variants.

The out-of-bounds read vulnerability may cause jq to read memory outside the intended buffer, potentially leading to crashes or undefined behavior. The denial of service vulnerability allows an attacker to craft JSON input that causes hash collisions, potentially causing jq to consume excessive resources and become unresponsive. Both issues impact jq processing on affected Red Hat Enterprise Linux 8.4 systems. There are no reports of active exploitation in the wild. The impact is rated as important by Red Hat, indicating a high severity but not critical.

Red Hat has released updated jq packages for Red Hat Enterprise Linux 8.4 Extended Update Support and Advanced Update Support variants that fix these vulnerabilities. Users should apply these official updates promptly to remediate the issues. Detailed update instructions and package downloads are available in the Red Hat advisory RHSA-2026:18048 and the referenced article https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by Red Hat beyond applying the provided patches.