Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 22 articles for you...
217

Oracle Linux 10 jq Important Denial of Service Fix ELSA-2026-19151

The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-19151 http://linux.oracle.com/errata/ELSA-2026-19151.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: jq-1.7.1-11.el10_2.2.x86_64.rpm jq-devel-1.7.1-11.el10_2.2.x86_64.rpm aarch64: jq-1.7.1-11.el10_2.2.aarch64.rpm jq-devel-1.7.1-11.el10_2.2.aarch64.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/jq-1.7.1-11.el10_2.2.src.rpm Related CVEs: CVE-2026-39979 CVE-2026-40164 Description of changes: [1.7.1-13] - Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions [1.7.1-12] - Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized() _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux 10 has important updates for jq, addressing denial of service vulnerabilities related to crafted JSON objects.. Oracle Linux,jq update,important advisory,security patch. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 17, 2026 Important Oracle
100

SUSE jq Important Heap Overflow Denial of Service Vuln 2026-22545-1

An update that solves 11 vulnerabilities can now be installed.. # Security update for jq Announcement ID: SUSE-SU-2026:22545-1 Release Date: 2026-07-07T12:32:37Z Rating: important References: * bsc#1244116 * bsc#1262043 * bsc#1262044 * bsc#1262069 * bsc#1262070 * bsc#1262071 * bsc#1262072 * bsc#1265060 * bsc#1265061 * bsc#1265062 * bsc#1265070 Cross-References: * CVE-2025-48060 * CVE-2026-32316 * CVE-2026-33947 * CVE-2026-33948 * CVE-2026-39956 * CVE-2026-39979 * CVE-2026-40164 * CVE-2026-40612 * CVE-2026-41256 * CVE-2026-41257 * CVE-2026-43894 CVSS scores: * CVE-2025-48060 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-48060 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L * CVE-2025-48060 ( NVD ): 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-48060 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-32316 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H * CVE-2026-32316 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2026-32316 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33947 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-33947 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-33947 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33947 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-33948 ( SUSE ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-33948 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-39956 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39956 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-39956 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-39979 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-39979 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H * CVE-2026-39979 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-39979 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L * CVE-2026-39979 ( NVD ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H * CVE-2026-40164 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-40164 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-40164 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40164 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-40612 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2026-40612 ( SUSE ): 6.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H * CVE-2026-40612 ( NVD ): 5.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-40612 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-41256 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-41256 ( SUSE ): 5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-41256 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N * CVE-2026-41257 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-41257 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-41257 ( NVD ): 6.4 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-41257 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-43894 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-43894 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2026-43894 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-43894 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Micro 6.2 An update that solves 11 vulnerabilities can now be installed. ## Description: This update for jq fixes the following issues: * CVE-2025-48060: improper handling of string data in `jv_string_empty` can lead to heap buffer overflow and a crash when processing crafted input (bsc#1244116). * CVE-2026-32316: integer overflow within the `jvp_string_append()` and `jvp_string_copy_replace_bad` functions can lead to heap buffer overflow when evaluating untrusted jq queries (bsc#1262044). * CVE-2026-33947: unbounded recursion in functions `jv_setpath()`, `jv_getpath()`, and `delpaths_sorted()` can lead to excessive resource consumption when processing crafted JSON input (bsc#1262069). * CVE-2026-39956: missing runtime type checks in `_strindices` and `jv_string_indexes()` can lead to a crash when evaluating untrusted jq filters against a release build (bsc#1262070). * CVE-2026-39979: incorrect processing of non-nul-terminated counted buffers in `jv_parse_sized` can lead to an out-of-bounds read whenprocessing malformed JSON (bsc#1262071). * CVE-2026-40164: use of `MurmurHash3` with a hardcoded seed allows pre- computation of key collisions and can lead to a denial of service via resource exhaustion when processing crafted JSON objects (bsc#1262072). * CVE-2026-40612: recursion into nested arrays/objects with no depth limit in `jv_contains` can lead to a C stack exhaustion when processing crafted input (bsc#1265060). * CVE-2026-41256: truncation of top-level jq programs loaded with `-f` and can lead to the execution of unintended programs (bsc#1265061). * CVE-2026-41257: integer overflow in `stack_reallocate` can lead to memory corruption and DoS when processing jq bytecode (bsc#1265062). * CVE-2026-43894: signed integer overflow in the `decNumberFromString` `D2U()` macro can lead to an out-of-bounds memory write when processing large number literals (bsc#1265070). * CVE-2026-33948: improper handling of buffer sizes via `strlen()` instead of `fgets()` in CLI input parsing allows validation bypass via embedded NUL bytes (bsc#1262043). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.2 zypper in -t patch SUSE-SL-Micro-6.2-1169=1 ## Package List: * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64) * libjq1-1.7.1-160000.3.1 * jq-debugsource-1.7.1-160000.3.1 * jq-1.7.1-160000.3.1 * jq-debuginfo-1.7.1-160000.3.1 * libjq1-debuginfo-1.7.1-160000.3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-48060.html * https://www.suse.com/security/cve/CVE-2026-32316.html * https://www.suse.com/security/cve/CVE-2026-33947.html * https://www.suse.com/security/cve/CVE-2026-33948.html * https://www.suse.com/security/cve/CVE-2026-39956.html * https://www.suse.com/security/cve/CVE-2026-39979.html *https://www.suse.com/security/cve/CVE-2026-40164.html * https://www.suse.com/security/cve/CVE-2026-40612.html * https://www.suse.com/security/cve/CVE-2026-41256.html * https://www.suse.com/security/cve/CVE-2026-41257.html * https://www.suse.com/security/cve/CVE-2026-43894.html * https://bugzilla.suse.com/show_bug.cgi?id=1244116 * https://bugzilla.suse.com/show_bug.cgi?id=1262043 * https://bugzilla.suse.com/show_bug.cgi?id=1262044 * https://bugzilla.suse.com/show_bug.cgi?id=1262069 * https://bugzilla.suse.com/show_bug.cgi?id=1262070 * https://bugzilla.suse.com/show_bug.cgi?id=1262071 * https://bugzilla.suse.com/show_bug.cgi?id=1262072 * https://bugzilla.suse.com/show_bug.cgi?id=1265060 * https://bugzilla.suse.com/show_bug.cgi?id=1265061 * https://bugzilla.suse.com/show_bug.cgi?id=1265062 * https://bugzilla.suse.com/show_bug.cgi?id=1265070 . SUSE's security update for jq addresses 11 vulnerabilities including heap overflows and denial of service issues.. SUSE Linux Micro,jq security update,important vulnerabilities,heap overflow,denial of service. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 13, 2026 Important SuSE
197

Debian LTS DLA-4662-1 jq Important Memory Corruption DoS Fix

It was found that jq, a lightweight and flexible command-line JSON parser, was vulnerable to multiple memory corruption attacks, which could lead to application crashes, denial-of-service conditions, and potentially arbitrary code execution through heap corruption when parsing untrusted input. For Debian 12 bookworm, these problems have been fixed in version. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4662-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/lts/security/ Andreas Henriksson July 01, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : jq Version : 1.6-2.1+deb12u2 CVE ID : CVE-2026-32316 CVE-2026-33947 CVE-2026-33948 CVE-2026-39956 CVE-2026-39979 CVE-2026-40164 CVE-2026-41256 CVE-2026-41257 CVE-2026-43894 CVE-2026-43895 CVE-2026-43896 CVE-2026-44777 CVE-2026-47770 CVE-2026-49839 CVE-2026-54679 Debian Bug : 1133921 1136445 It was found that jq, a lightweight and flexible command-line JSON parser, was vulnerable to multiple memory corruption attacks, which could lead to application crashes, denial-of-service conditions, and potentially arbitrary code execution through heap corruption when parsing untrusted input. For Debian 12 bookworm, these problems have been fixed in version 1.6-2.1+deb12u2. For Debian 11 bullseye, these issues have been addressed in DLA-4599-1 and DLA-4661-1. We recommend that you upgrade your jq packages. For the detailed security status of jq please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jq Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Multiple memory corruption issues in jq could lead to denial-of-service and remote codeexecution. Update recommended.. jq parser security update, debian jq exploit, memory corruption vulnerability, denial-of-service jq, debian security advisory. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 01, 2026 Important Debian LTS
202

openSUSE Tumbleweed jq Moderate Buffer Overflow Issues 2026-11133-1

An update that solves 3 vulnerabilities can now be installed.. # jq-1.8.2-1.1 on GA media Announcement ID: openSUSE-SU-2026:11133-1 Rating: moderate Cross-References: * CVE-2026-47770 * CVE-2026-49839 * CVE-2026-54679 CVSS scores: * CVE-2026-47770 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-49839 ( SUSE ): 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H * CVE-2026-54679 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-54679 ( SUSE ): 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Affected Products: * openSUSE Tumbleweed An update that solves 3 vulnerabilities can now be installed. ## Description: These are all security issues fixed in the jq-1.8.2-1.1 package on the GA media of openSUSE Tumbleweed. ## Package List: * openSUSE Tumbleweed: * jq 1.8.2-1.1 * libjq-devel 1.8.2-1.1 * libjq1 1.8.2-1.1 ## References: * https://www.suse.com/security/cve/CVE-2026-47770.html * https://www.suse.com/security/cve/CVE-2026-49839.html * https://www.suse.com/security/cve/CVE-2026-54679.html . An update for openSUSE Tumbleweed addresses 3 moderate issues in jq 1.8.2-1.1, ensuring better security against threats.. opensuse jq update security package management. . Severity: moderate. LinuxSecurity.com Team

Calendar%202 Jun 29, 2026 moderate OpenSUSE
217

Oracle Linux 9 jq Important Denial of Service Advisory ELSA-2026-19365

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-19365 http://linux.oracle.com/errata/ELSA-2026-19365.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: jq-1.6-19.el9_8.2.i686.rpm jq-1.6-19.el9_8.2.x86_64.rpm jq-devel-1.6-19.el9_8.2.i686.rpm jq-devel-1.6-19.el9_8.2.x86_64.rpm aarch64: jq-1.6-19.el9_8.2.aarch64.rpm jq-devel-1.6-19.el9_8.2.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/jq-1.6-19.el9_8.2.src.rpm Related CVEs: CVE-2026-39979 CVE-2026-40164 Description of changes: [1.6-19.2] - Fix CVE-2026-40164 - Denial of Service via crafted JSON object causing hash collisions - Resolves: RHEL-168185 [1.6-19.1] - Fix CVE-2026-39979 out-of-bounds read in jv_parse_sized() - Resolves: RHEL-168202 _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux 9 advisory ELSA-2026-19365 addresses important issues in jq with CVEs for Denial of Service.. Oracle Linux Security Advisory, ELSA-2026-19365, jq update, Denial of Service, critical patches. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 24, 2026 Important Oracle
203

Mageia 9 jq Critical DoS and Code Exec Issues Vuln 2026-0188

Security update. Publication date: 10 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0188.html Type: security Affected Mageia releases: 9 CVE: CVE-2024-23337, CVE-2025-48060, CVE-2026-32316, CVE-2026-39979, CVE-2026-33948, CVE-2026-33947, CVE-2026-39956, CVE-2026-40164 Description: An integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. (CVE-2024-23337) It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-32316) It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947) It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-33948) It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. (CVE-2026-39956) It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue to leak sensitive information or cause a denial of service. (CVE-2026-39979) It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-40164) A heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz); (CVE-2025-48060) Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before theNUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. (CVE-2026-41256) The ordinary module loader recurses without cycle detection when two otherwise valid modules include each other (CVE-2026-44777) References: - https://bugs.mageia.org/show_bug.cgi?id=34443 - https://www.openwall.com/lists/oss-security/2026/04/15/8 - https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f - https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p - https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9 - https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg - https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28 - https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29 - https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r - https://www.cve.org/CVERecord?id=CVE-2024-23337 - https://www.cve.org/CVERecord?id=CVE-2025-48060 - https://www.cve.org/CVERecord?id=CVE-2026-32316 - https://www.cve.org/CVERecord?id=CVE-2026-39979 - https://www.cve.org/CVERecord?id=CVE-2026-33948 - https://www.cve.org/CVERecord?id=CVE-2026-33947 - https://www.cve.org/CVERecord?id=CVE-2026-39956 - https://www.cve.org/CVERecord?id=CVE-2026-40164 SRPMS: - 9/core/jq-1.6-3.1.mga9 . Critical security update addressing multiple denial of service risks and code execution issues in jq for Mageia 9.. Mageia jq security update integer overflow denial of service. . Severity: Critical. LinuxSecurity.com Team

Calendar%202 Jun 10, 2026 Critical Mageia
100

SUSE jq Moderate Security Update CVE-2026-33948 Advisory 2026-2283-1

An update that solves one vulnerability can now be installed.. # Security update for jq Announcement ID: SUSE-SU-2026:2283-1 Release Date: 2026-06-05T12:15:29Z Rating: moderate References: * bsc#1262043 Cross-References: * CVE-2026-33948 CVSS scores: * CVE-2026-33948 ( SUSE ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2026-33948 ( NVD ): 2.9 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-33948 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Affected Products: * Basesystem Module 15-SP7 * SUSE Linux Enterprise Desktop 15 SP7 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP7 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 An update that solves one vulnerability can now be installed. ## Description: This update for jq fixes the following issue * CVE-2026-33948: CLI input parsing may allow validation bypass via embedded NUL bytes (bsc#1262043) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Basesystem Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2283=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2283=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2026-2283=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2283=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2026-2283=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2026-2283=1 ## Package List: * Basesystem Module 15-SP7 (aarch64 ppc64le s390x x86_64) * jq-1.6-150000.3.15.1 * libjq-devel-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * jq-1.6-150000.3.15.1 * libjq1-debuginfo-1.6-150000.3.15.1 * libjq1-1.6-150000.3.15.1 * jq-debugsource-1.6-150000.3.15.1 * jq-debuginfo-1.6-150000.3.15.1 ## References: * https://www.suse.com/security/cve/CVE-2026-33948.html * https://bugzilla.suse.com/show_bug.cgi?id=1262043 . A security update is available for jq with moderate severity, addressing CLI input parsing bypass issues.. SUSE jq update moderatesecurity input parsing. . Severity: moderate. LinuxSecurity.com Team

Calendar%202 Jun 05, 2026 moderate SuSE
172

Ubuntu 20.04 jq Critical Denial of Service Fix USN-8202-3

USN-8202-1 introduced a regression in jq. ========================================================================== Ubuntu Security Notice USN-8202-3 May 21, 2026 jq regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: USN-8202-1 introduced a regression in jq Software Description: - jq: lightweight and flexible command-line JSON processor Details: USN-8202-1 fixed vulnerabilities in jq. The update caused a regression for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that jq did not correctly handle certain string concatenations. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-32316) It was discovered that jq did not correctly handle recursion in certain circumstances. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-33947) It was discovered that jq did not correctly handle improperly terminated strings. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-33948) It was discovered that jq did not correctly handle checking certain variable types. An attacker could possibly use this issue to cause a denial of service or leak sensitive information. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-39956) It was discovered that jq did not correctly handle certain string formatting. An attacker could possibly use this issue toleak sensitive information or cause a denial of service. (CVE-2026-39979) It was discovered that jq used a fixed seed for hash table operations. An attacker could possibly use this issue to cause a denial of service. This issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-40164) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS jq 1.6-1ubuntu0.20.04.1+esm3 Available with Ubuntu Pro libjq-dev 1.6-1ubuntu0.20.04.1+esm3 Available with Ubuntu Pro libjq1 1.6-1ubuntu0.20.04.1+esm3 Available with Ubuntu Pro Ubuntu 18.04 LTS jq 1.5+dfsg-2ubuntu0.1~esm3 Available with Ubuntu Pro libjq-dev 1.5+dfsg-2ubuntu0.1~esm3 Available with Ubuntu Pro libjq1 1.5+dfsg-2ubuntu0.1~esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8202-3 https://ubuntu.com/security/notices/USN-8202-2 https://ubuntu.com/security/notices/USN-8202-1 CVE-2026-40164, https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2152052 . A regression in jq observed in Ubuntu 18.04 and 20.04 LTS can lead to denial of service or code execution. Update recommended.. jq regression, Ubuntu security, update jq, software vulnerabilities. . Severity: Important. LinuxSecurity.com Team

Calendar%202 May 21, 2026 Important Ubuntu
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200