Fedora 44 jq Critical Buffer Overflow Denial of Service CVE-2026-32316
fedora
April 25, 2026
Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164
Summary
lightweight and flexible command-line JSON processor
jq is like sed for JSON data \u2013 you can use it to slice
and filter and map and transform structured data with
the same ease that sed, awk, grep and friends let you
play with text.
It is written in portable C, and it has zero runtime
dependencies.
jq can mangle the data format that you have into the
one that you want with very little effort, and the
program to do so is often shorter and simpler than
you'd expect.
Update Information:
Fixes CVE-2026-32316 Fixes CVE-2026-33947 Fixes CVE-2026-39956 Fixes CVE-2026-39979 Fixes CVE-2026-40164 Fixes bug https://github.com/jqlang/jq/issues/3413
Topics Covered
Change Log
* Thu Apr 16 2026 Jonathan Wright
References
[ 1 ] Bug #2458029 - CVE-2026-32316 jq: jq: Denial of Service or potential arbitrary code execution due to integer overflow and heap-based buffer overflow [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458029
[ 2 ] Bug #2458368 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458368
[ 3 ] Bug #2458400 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458400
[ 4 ] Bug #2458401 - CVE-2026-33947 jq: unbounded Recursion in jv_setpath() / jv_getpath() / delpaths_sorted() [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2458401
[ 5 ] Bug #2458402 - CVE-2026-39956 jq: missing runtime type checks for _strindices lead to crash and limited memory disclosure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi...
Update Instructions
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-0eb8e878b6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Name: jq
Product: Fedora 44
Version: 1.8.1
Release: 3.fc44
URL: https://jqlang.org/
Summary: Command-line JSON processor
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!