Explore top 10 tips to secure your open-source projects now. Read More
×
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-19151 http://linux.oracle.com/errata/ELSA-2026-19151.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: jq-1.7.1-11.el10_2.2.x86_64.rpm jq-devel-1.7.1-11.el10_2.2.x86_64.rpm aarch64: jq-1.7.1-11.el10_2.2.aarch64.rpm jq-devel-1.7.1-11.el10_2.2.aarch64.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/jq-1.7.1-11.el10_2.2.src.rpm Related CVEs: CVE-2026-39979 CVE-2026-40164 Description of changes: [1.7.1-13] - Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions [1.7.1-12] - Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized() _______________________________________________ El-errata mailing list
An update that solves 11 vulnerabilities can now be installed.. # Security update for jq Announcement ID: SUSE-SU-2026:22545-1 Release Date: 2026-07-07T12:32:37Z Rating: important References: * bsc#1244116 * bsc#1262043 * bsc#1262044 * bsc#1262069 * bsc#1262070 * bsc#1262071 * bsc#1262072 * bsc#1265060 * bsc#1265061 * bsc#1265062 * bsc#1265070 Cross-References: * CVE-2025-48060 * CVE-2026-32316 * CVE-2026-33947 * CVE-2026-33948 * CVE-2026-39956 * CVE-2026-39979 * CVE-2026-40164 * CVE-2026-40612 * CVE-2026-41256 * CVE-2026-41257 * CVE-2026-43894 CVSS scores: * CVE-2025-48060 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-48060 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L * CVE-2025-48060 ( NVD ): 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-48060 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-32316 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H * CVE-2026-32316 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2026-32316 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33947 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-33947 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-33947 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33947 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33948 ( SUSE ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-33948 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-39956 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39956 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-39956 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-39979 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39979 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-39979 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-39979 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L * CVE-2026-39979 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2026-40164 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-40164 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-40164 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40164 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40612 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2026-40612 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H * CVE-2026-40612 ( NVD ): 5.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-40612 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41256 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-41256 ( SUSE ): 5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-41256 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-41257 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-41257 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-41257 ( NVD ): 6.4 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41257 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-43894 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-43894 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-43894 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-43894 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.2 An update that solves 11 vulnerabilities can now be installed. ## Description: This update for jq fixes the following issues: * CVE-2025-48060: improper handling of string data in `jv_string_empty` can lead to heap buffer overflow and a crash when processing crafted input (bsc#1244116). * CVE-2026-32316: integer overflow within the `jvp_string_append()` and `jvp_string_copy_replace_bad` functions can lead to heap buffer overflow when evaluating untrusted jq queries (bsc#1262044). * CVE-2026-33947: unbounded recursion in functions `jv_setpath()`, `jv_getpath()`, and `delpaths_sorted()` can lead to excessive resource consumption when processing crafted JSON input (bsc#1262069). * CVE-2026-39956: missing runtime type checks in `_strindices` and `jv_string_indexes()` can lead to a crash when evaluating untrusted jq filters against a release build (bsc#1262070). * CVE-2026-39979: incorrect processing of non-nul-terminated counted buffers in `jv_parse_sized` can lead to an out-of-bounds read whenprocessing malformed JSON (bsc#1262071). * CVE-2026-40164: use of `MurmurHash3` with a hardcoded seed allows pre- computation of key collisions and can lead to a denial of service via resource exhaustion when processing crafted JSON objects (bsc#1262072). * CVE-2026-40612: recursion into nested arrays/objects with no depth limit in `jv_contains` can lead to a C stack exhaustion when processing crafted input (bsc#1265060). * CVE-2026-41256: truncation of top-level jq programs loaded with `-f` and can lead to the execution of unintended programs (bsc#1265061). * CVE-2026-41257: integer overflow in `stack_reallocate` can lead to memory corruption and DoS when processing jq bytecode (bsc#1265062). * CVE-2026-43894: signed integer overflow in the `decNumberFromString` `D2U()` macro can lead to an out-of-bounds memory write when processing large number literals (bsc#1265070). * CVE-2026-33948: improper handling of buffer sizes via `strlen()` instead of `fgets()` in CLI input parsing allows validation bypass via embedded NUL bytes (bsc#1262043). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.2 zypper in -t patch SUSE-SL-Micro-6.2-1169=1 ## Package List: * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64) * libjq1-1.7.1-160000.3.1 * jq-debugsource-1.7.1-160000.3.1 * jq-1.7.1-160000.3.1 * jq-debuginfo-1.7.1-160000.3.1 * libjq1-debuginfo-1.7.1-160000.3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-48060.html * https://www.suse.com/security/cve/CVE-2026-32316.html * https://www.suse.com/security/cve/CVE-2026-33947.html * https://www.suse.com/security/cve/CVE-2026-33948.html * https://www.suse.com/security/cve/CVE-2026-39956.html * https://www.suse.com/security/cve/CVE-2026-39979.html *https://www.suse.com/security/cve/CVE-2026-40164.html * https://www.suse.com/security/cve/CVE-2026-40612.html * https://www.suse.com/security/cve/CVE-2026-41256.html * https://www.suse.com/security/cve/CVE-2026-41257.html * https://www.suse.com/security/cve/CVE-2026-43894.html * https://bugzilla.suse.com/show_bug.cgi?id=1244116 * https://bugzilla.suse.com/show_bug.cgi?id=1262043 * https://bugzilla.suse.com/show_bug.cgi?id=1262044 * https://bugzilla.suse.com/show_bug.cgi?id=1262069 * https://bugzilla.suse.com/show_bug.cgi?id=1262070 * https://bugzilla.suse.com/show_bug.cgi?id=1262071 * https://bugzilla.suse.com/show_bug.cgi?id=1262072 * https://bugzilla.suse.com/show_bug.cgi?id=1265060 * https://bugzilla.suse.com/show_bug.cgi?id=1265061 * https://bugzilla.suse.com/show_bug.cgi?id=1265062 * https://bugzilla.suse.com/show_bug.cgi?id=1265070 . SUSE's security update for jq addresses 11 vulnerabilities including heap overflows and denial of service issues.. SUSE Linux Micro,jq security update,important vulnerabilities,heap overflow,denial of service. . Severity: Important. LinuxSecurity.com Team
It was found that jq, a lightweight and flexible command-line JSON parser, was vulnerable to multiple memory corruption attacks, which could lead to application crashes, denial-of-service conditions, and potentially arbitrary code execution through heap corruption when parsing untrusted input. For Debian 12 bookworm, these problems have been fixed in version. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4662-1
An update that solves 3 vulnerabilities can now be installed.. # jq-1.8.2-1.1 on GA media Announcement ID: openSUSE-SU-2026:11133-1 Rating: moderate Cross-References: * CVE-2026-47770 * CVE-2026-49839 * CVE-2026-54679 CVSS scores: * CVE-2026-47770 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-49839 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H * CVE-2026-54679 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-54679 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves 3 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the jq-1.8.2-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * jq 1.8.2-1.1 * libjq-devel 1.8.2-1.1 * libjq1 1.8.2-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-47770.html * https://www.suse.com/security/cve/CVE-2026-49839.html * https://www.suse.com/security/cve/CVE-2026-54679.html . An update for openSUSE Tumbleweed addresses 3 moderate issues in jq 1.8.2-1.1, ensuring better security against threats.. opensuse jq update security package management. . Severity: moderate. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-19365 http://linux.oracle.com/errata/ELSA-2026-19365.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: jq-1.6-19.el9_8.2.i686.rpm jq-1.6-19.el9_8.2.x86_64.rpm jq-devel-1.6-19.el9_8.2.i686.rpm jq-devel-1.6-19.el9_8.2.x86_64.rpm aarch64: jq-1.6-19.el9_8.2.aarch64.rpm jq-devel-1.6-19.el9_8.2.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/jq-1.6-19.el9_8.2.src.rpm Related CVEs: CVE-2026-39979 CVE-2026-40164 Description of changes: [1.6-19.2] - Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions - Resolves: RHEL-168185 [1.6-19.1] - Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized() - Resolves: RHEL-168202 _______________________________________________ El-errata mailing list
Security update. Publication date: 10 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0188.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-23337, CVE-2025-48060, CVE-2026-32316, CVE-2026-39979, CVE-2026-33948, CVE-2026-33947, CVE-2026-39956, CVE-2026-40164 Description: An integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. (CVE-2024-23337) It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-32316) It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947) It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-33948) It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. (CVE-2026-39956) It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue to leak sensitive information or cause a denial of service. (CVE-2026-39979) It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-40164) A heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz); (CVE-2025-48060) Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before theNUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. (CVE-2026-41256) The ordinary module loader recurses without cycle detection when two otherwise valid modules include each other (CVE-2026-44777) References: - https://bugs.mageia.org/show_bug.cgi?id=34443 - https://www.openwall.com/lists/oss-security/2026/04/15/8 - https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f - https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p - https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9 - https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg - https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28 - https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29 - https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r - https://www.cve.org/CVERecord?id=CVE-2024-23337 - https://www.cve.org/CVERecord?id=CVE-2025-48060 - https://www.cve.org/CVERecord?id=CVE-2026-32316 - https://www.cve.org/CVERecord?id=CVE-2026-39979 - https://www.cve.org/CVERecord?id=CVE-2026-33948 - https://www.cve.org/CVERecord?id=CVE-2026-33947 - https://www.cve.org/CVERecord?id=CVE-2026-39956 - https://www.cve.org/CVERecord?id=CVE-2026-40164 SRPMS: - 9/core/jq-1.6-3.1.mga9 . Critical security update addressing multiple denial of service risks and code execution issues in jq for Mageia 9.. Mageia jq security update integer overflow denial of service. . Severity: Critical. LinuxSecurity.com Team
An update that solves one vulnerability can now be installed.. # Security update for jq Announcement ID: SUSE-SU-2026:2283-1 Release Date: 2026-06-05T12:15:29Z Rating: moderate References: * bsc#1262043 Cross-References: * CVE-2026-33948 CVSS scores: * CVE-2026-33948 ( SUSE ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-33948 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected Products: * Basesystem Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves one vulnerability can now be installed. ## Description: This update for jq fixes the following issue * CVE-2026-33948: CLI input parsing may allow validation bypass via embedded NUL bytes (bsc#1262043) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Basesystem Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2283=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2283=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2283=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2283=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2283=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2026-2283=1 ## Package List: * Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64) * jq-1.6-150000.3.15.1 * libjq-devel-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 ## References: * https://www.suse.com/security/cve/CVE-2026-33948.html * https://bugzilla.suse.com/show_bug.cgi?id=1262043 . A security update is available for jq with moderate severity, addressing CLI input parsing bypass issues.. SUSE jq update moderatesecurity input parsing. . Severity: moderate. LinuxSecurity.com Team
USN-8202-1 introduced a regression in jq. ========================================================================== Ubuntu Security Notice USN-8202-3 May 21, 2026 jq regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-8202-1 introduced a regression in jq Software Description: - jq: lightweight and flexible command-line JSON processor Details: USN-8202-1 fixed vulnerabilities in jq. The update caused a regression for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-32316) It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947) It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-33948) It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-39956) It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue toleak sensitive information or cause a denial of service. (CVE-2026-39979) It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-40164) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS jq 1.6-1ubuntu0.20.04.1+esm3 Available with Ubuntu Pro libjq-dev 1.6-1ubuntu0.20.04.1+esm3 Available with Ubuntu Pro libjq1 1.6-1ubuntu0.20.04.1+esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS jq 1.5+dfsg-2ubuntu0.1~esm3 Available with Ubuntu Pro libjq-dev 1.5+dfsg-2ubuntu0.1~esm3 Available with Ubuntu Pro libjq1 1.5+dfsg-2ubuntu0.1~esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8202-3 https://ubuntu.com/security/notices/USN-8202-2 https://ubuntu.com/security/notices/USN-8202-1 CVE-2026-40164, https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2152052 . A regression in jq observed in Ubuntu 18.04 and 20.04 LTS can lead to denial of service or code execution. Update recommended.. jq regression, Ubuntu security, update jq, software vulnerabilities. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.