jq-1.6-12.el8_10

エラータID: AXSA:2026-629:02

Release date: 
Monday, May 18, 2026 - 18:27
Subject: 
jq-1.6-12.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text.

Security Fix(es):

* jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979)
* jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-39979
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

Solution: 

Update packages.

CVEs: 
CVE-2026-39979
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.
Additional Info: 

N/A

Download: 

SRPMS
  1. jq-1.6-12.el8_10.src.rpm
    MD5: 898c9441f8b57d43d174b95242080529
    SHA-256: c5c81dd70ae7c2a437e04e57910bb8d3f01ad2ba728bb97709108c8d1df5fc17
    Size: 1.44 MB

Asianux Server 8 for x86_64
  1. jq-1.6-12.el8_10.i686.rpm
    MD5: 3dad0aa4459f486d2bd72b1ff805c0a4
    SHA-256: 78c768347d098d199a5e219fe7095e6d2f5240a9280665e54a90ada6a2c731c6
    Size: 237.02 kB
  2. jq-1.6-12.el8_10.x86_64.rpm
    MD5: e1bc3d82a40e88335eee129ae8a01124
    SHA-256: b78f2f48766503e75fc37523c55cb887f0743c369a4c4fefa902abf2178b76d9
    Size: 202.96 kB
  3. jq-devel-1.6-12.el8_10.i686.rpm
    MD5: fd810c777dd92674de9b9b853daf7044
    SHA-256: 79e3ccc61c08acdffb55fc37402091b9f67525900db99430b1421732e94cdeca
    Size: 13.23 kB
  4. jq-devel-1.6-12.el8_10.x86_64.rpm
    MD5: c4edcad8538daa5221b676001adb1af9
    SHA-256: 4bae9acb1e2a3c619d9e7cd9fc44042c0fed4ffd67aa724b2cda75c3714a30bf
    Size: 13.20 kB