jq-1.6-19.el9_7.0.2

エラータID: AXSA:2026-614:01

Release date: 
Thursday, May 14, 2026 - 22:58
Subject: 
jq-1.6-19.el9_7.0.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text.

Security Fix(es):

* jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979)
* jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-39979
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

Solution: 

Update packages.

CVEs: 
CVE-2026-39979
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Additional Info: 

N/A

Download: 

SRPMS
  1. jq-1.6-19.el9_7.0.2.src.rpm
    MD5: 935d234a8a472a9e65d8516538bef303
    SHA-256: 492b57978b53d773eedf0132c4476c6a1f19d0695598faa90b3d0e73a59de430
    Size: 1.44 MB

Asianux Server 9 for x86_64
  1. jq-1.6-19.el9_7.0.2.i686.rpm
    MD5: 9c31aab164fac02ac5f18b5e8ad2f782
    SHA-256: 8a52317d44a3fb1e8f1e78ea28b5fe8b80c37fe6f53dacb2e27e64d1039e811b
    Size: 212.80 kB
  2. jq-1.6-19.el9_7.0.2.x86_64.rpm
    MD5: 48810af0b4779ab21706af451c5698ae
    SHA-256: 3d136b78b9ec593757dbe74eeaecf9c514a63664dcf5d1f518904202843ed9ab
    Size: 186.44 kB
  3. jq-devel-1.6-19.el9_7.0.2.i686.rpm
    MD5: c07e416dfea7f64924caa1b7b5b219f3
    SHA-256: 00e9b4a11ead2b3ecd046e9e54a5aa0d6c56d4c7b5b078c3f561ce4af80c72c5
    Size: 10.58 kB
  4. jq-devel-1.6-19.el9_7.0.2.x86_64.rpm
    MD5: 0ff38200721d92a54ec6bd1745d4627f
    SHA-256: 9cda90b59bc6219f9675b81472627c4b946203f9204bf9dc105beb50f770d3a6
    Size: 10.57 kB