jq-1.6-19.el9_8.2

エラータID: AXSA:2026-1020:03

Release date: 
Monday, June 29, 2026 - 13:16
Subject: 
jq-1.6-19.el9_8.2
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text.

Security Fix(es):

* jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979)
* jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-39979
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
CVE-2026-40164
jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. jq-1.6-19.el9_8.2.src.rpm
    MD5: e2f0f97cc8c806f00a0657180ddea0a2
    SHA-256: e1d76c8d6235530fb35a9b63ce1684b18b272c9fbd747a16eefe960aa1324146
    Size: 1.44 MB

Asianux Server 9 for x86_64
  1. jq-1.6-19.el9_8.2.i686.rpm
    MD5: b8518dffb81db3edc9ac402814551d83
    SHA-256: e33cff76cafa3cac437a6b060e3cc1d47acda6aeccce0b082f8b062c42cd2d6c
    Size: 212.83 kB
  2. jq-1.6-19.el9_8.2.x86_64.rpm
    MD5: 89bdf7c2d224d5551f27040ab508f0aa
    SHA-256: 82961de8ff8f1fe7cc237f581b021e7a98464857424ea4e1c59401c55d825402
    Size: 186.44 kB
  3. jq-devel-1.6-19.el9_8.2.i686.rpm
    MD5: 097d861fa160c5991aef3192b5e45d1d
    SHA-256: f5879f6fd511a07760355321cca2ed7ddfecfb5de32bb902de2072e0943d6eb9
    Size: 10.57 kB
  4. jq-devel-1.6-19.el9_8.2.x86_64.rpm
    MD5: 0a1d2e6c54fa675521841fde797e5824
    SHA-256: 28cfdc5fb2587fbe0c8f453f5a26da5de18a235daf65f7fb965fc2d0cc42db07
    Size: 10.56 kB