Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

CentOS 9 jq Key Vulnerability Mitigation Actions 2026-bd94183012

fedora
Calendar Grey April 22, 2026
Dist Fedora Esm H88
Critical update for jq in Fedora 43 resolving multiple issues, including denial-of-service risks and integer overflow errors.
Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164

Summary

lightweight and flexible command-line JSON processor

jq is like sed for JSON data \u2013 you can use it to slice

and filter and map and transform structured data with

the same ease that sed, awk, grep and friends let you

play with text.

It is written in portable C, and it has zero runtime

dependencies.

jq can mangle the data format that you have into the

one that you want with very little effort, and the

program to do so is often shorter and simpler than

you'd expect.

Update Information:

Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164 Fixes bug https://github.com/jqlang/jq/issues/3413

Topics%20covered

Topics Covered

security advisory denial of service fedora important command line json processor

Change Log

* Thu Apr 16 2026 Jonathan Wright - 1.8.1-3 - Fixes multiple CVEs * Fri Jan 16 2026 Fedora Release Engineering - 1.8.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

References


[ 1 ] Bug #2458029 - CVE-2026-32316 jq: jq: Denial of Service or potential arbitrary code execution due to integer overflow and heap-based buffer overflow [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458029 [ 2 ] Bug #2458368 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458368 [ 3 ] Bug #2458400 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458400 [ 4 ] Bug #2458401 - CVE-2026-33947 jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted() [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2458401 [ 5 ] Bug #2458402 - CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-4e57162966' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: jq
Product: Fedora 43
Version: 1.8.1
Release: 3.fc43
URL: https://jqlang.org/
Summary: Command-line JSON processor

Topics%20covered

Topics Covered

security advisory denial of service fedora important command line json processor

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here