Red Hat Product Security issued an advisory for jq, a command-line JSON processor, addressing two vulnerabilities: a signed integer overflow in jv.c:jvp_array_write (CVE-2024-23337) and a stack-buffer-overflow in jq_fuzz_execute (CVE-2025-48060). These vulnerabilities affect Red Hat Enterprise Linux 10 and related CodeReady Linux Builder products across multiple architectures (x86_64, s390x, ppc64le, aarch64). The advisory rates the security impact as Moderate and provides updated packages to fix these issues. The vulnerabilities correspond to CWE-190 (Integer Overflow) and CWE-126 (Buffer Over-read). No CVSS base scores are provided in the advisory, and no known exploits have been reported. The vendor advisory includes detailed package updates and instructions for remediation.

The vulnerabilities could potentially allow memory corruption due to integer overflow and stack buffer overflow conditions in jq, which might lead to application crashes or other unintended behavior. However, the security impact is rated Moderate by Red Hat, and no known exploits in the wild have been reported. The issues affect jq versions included in Red Hat Enterprise Linux 10 and CodeReady Linux Builder. The exact impact on confidentiality, integrity, or availability is not detailed beyond the Moderate severity rating.

Red Hat has released updated jq packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 10 and CodeReady Linux Builder products should apply the security update as described in the Red Hat advisory RHSA-2025:12882. Detailed instructions and updated packages are available at https://access.redhat.com/articles/11258. Since this is a traditional software package and not a cloud service, remediation requires manual update by system administrators. Patch status is confirmed by the vendor advisory.