Red Hat Product Errata RHSA-2026:16692 - Security Advisory Issued: 2026-05-13 Updated: 2026-05-13 RHSA-2026:16692 - Security Advisory Overview Updated Packages Synopsis Important: jq security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for jq is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or transform structured data with the same ease that sed, awk, grep, or similar applications allow you to manipulate text. Security Fix(es): jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers (CVE-2026-39979) jq: jq: Denial of Service via crafted JSON object causing hash collisions (CVE-2026-40164) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 10 x86_64 Red Hat Enterprise Linux for IBM z Systems 10 s390x Red Hat Enterprise Linux for Power, little endian 10 ppc64le Red Hat Enterprise Linux for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for x86_64 10 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 10 ppc64le Red Hat CodeReady Linux Builder for ARM 64 10 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 10 s390x Fixes BZ - 2458077 - CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers BZ - 2458084 - CVE-2026-40164 jq: jq: Denial of Service via crafted JSON object causing hash collisions CVEs CVE-2026-39979 CVE-2026-40164 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 10 SRPM jq-1.7.1-11.el10_1.0.2.src.rpm SHA-256: e2f31d15c4d2550085f8ce58932635c850c7fc5e7daeceaef54fe6e53e55eb19 x86_64 jq-1.7.1-11.el10_1.0.2.x86_64.rpm SHA-256: ebf65b51b3648d65d2bf5671109d209f7855b8cf12b2aeb1cd371f80222e4dc2 jq-debuginfo-1.7.1-11.el10_1.0.2.x86_64.rpm SHA-256: 7bf5c5dc1f77ebc80fe124cdfabc00b8e164300bfab7b853f92ac1314ae4d0ef jq-debugsource-1.7.1-11.el10_1.0.2.x86_64.rpm SHA-256: f4331a13f4f766bfa888b5a535d9bf47383e443291d0ff29fdce4f8557d3493c Red Hat Enterprise Linux for IBM z Systems 10 SRPM jq-1.7.1-11.el10_1.0.2.src.rpm SHA-256: e2f31d15c4d2550085f8ce58932635c850c7fc5e7daeceaef54fe6e53e55eb19 s390x jq-1.7.1-11.el10_1.0.2.s390x.rpm SHA-256: e02dab98c0e761e1f5707b1281322b09d2376eb125684050c2c360d9b85546b1 jq-debuginfo-1.7.1-11.el10_1.0.2.s390x.rpm SHA-256: d022626beae08dd070dfaeec11127e3b52bf7a1c56d17fecfcbe4322a226d7c0 jq-debugsource-1.7.1-11.el10_1.0.2.s390x.rpm SHA-256: b84858f1b47b4472cdeb00b1b4f9695b522203227ddcce18a3db7fa8c8ddd7e2 Red Hat Enterprise Linux for Power, little endian 10 SRPM jq-1.7.1-11.el10_1.0.2.src.rpm SHA-256: e2f31d15c4d2550085f8ce58932635c850c7fc5e7daeceaef54fe6e53e55eb19 ppc64le jq-1.7.1-11.el10_1.0.2.ppc64le.rpm SHA-256: 8ee1c800e1b0dc803eb6da9a252d42aa2bdf24949e7152e16569bc34e2bf63ae jq-debuginfo-1.7.1-11.el10_1.0.2.ppc64le.rpm SHA-256: 34c5f99c8461853050af7f807fee58856654a13c7139518078135c23807806a0 jq-debugsource-1.7.1-11.el10_1.0.2.ppc64le.rpm SHA-256: 60dd3d8451ef69ffa3dc5756dd4de06d6f2ae27b2e26bca9022bb00b1b218dd0 Red Hat Enterprise Linux for ARM 64 10 SRPM jq-1.7.1-11.el10_1.0.2.src.rpm SHA-256: e2f31d15c4d2550085f8ce58932635c850c7fc5e7daeceaef54fe6e53e55eb19 aarch64 jq-1.7.1-11.el10_1.0.2.aarch64.rpm SHA-256: 672eea21d7a30546d3af9ca3a2e08dc1b19a69b99cc66e0f13337a6aa8016c7a jq-debuginfo-1.7.1-11.el10_1.0.2.aarch64.rpm SHA-256: 661f1aca298a83fca2ff34d2cc06ea428c0b27cbbb8c59343a1f2dbb861e0582 jq-debugsource-1.7.1-11.el10_1.0.2.aarch64.rpm SHA-256: 7d8cc182ddc444865921db13267d0df2315aa19597f1c1c606faae9db3ddb8cc Red Hat CodeReady Linux Builder for x86_64 10 SRPM x86_64 jq-debuginfo-1.7.1-11.el10_1.0.2.x86_64.rpm SHA-256: 7bf5c5dc1f77ebc80fe124cdfabc00b8e164300bfab7b853f92ac1314ae4d0ef jq-debugsource-1.7.1-11.el10_1.0.2.x86_64.rpm SHA-256: f4331a13f4f766bfa888b5a535d9bf47383e443291d0ff29fdce4f8557d3493c jq-devel-1.7.1-11.el10_1.0.2.x86_64.rpm SHA-256: 72de0ffb90e279a3c4f5f2ad50ec9a4fac6aaf9c0c5da81355692dc1b8f91d76 Red Hat CodeReady Linux Builder for Power, little endian 10 SRPM ppc64le jq-debuginfo-1.7.1-11.el10_1.0.2.ppc64le.rpm SHA-256: 34c5f99c8461853050af7f807fee58856654a13c7139518078135c23807806a0 jq-debugsource-1.7.1-11.el10_1.0.2.ppc64le.rpm SHA-256: 60dd3d8451ef69ffa3dc5756dd4de06d6f2ae27b2e26bca9022bb00b1b218dd0 jq-devel-1.7.1-11.el10_1.0.2.ppc64le.rpm SHA-256: e05dec0e8fd17099de43565dddece2c612552bed37476c70aef5b96515e9dbc8 Red Hat CodeReady Linux Builder for ARM 64 10 SRPM aarch64 jq-debuginfo-1.7.1-11.el10_1.0.2.aarch64.rpm SHA-256: 661f1aca298a83fca2ff34d2cc06ea428c0b27cbbb8c59343a1f2dbb861e0582 jq-debugsource-1.7.1-11.el10_1.0.2.aarch64.rpm SHA-256: 7d8cc182ddc444865921db13267d0df2315aa19597f1c1c606faae9db3ddb8cc jq-devel-1.7.1-11.el10_1.0.2.aarch64.rpm SHA-256: 1098bcd96f5e4f6a067ce9cff8d3b594efcd895c5ba98ecc011014050c682b71 Red Hat CodeReady Linux Builder for IBM z Systems 10 SRPM s390x jq-debuginfo-1.7.1-11.el10_1.0.2.s390x.rpm SHA-256: d022626beae08dd070dfaeec11127e3b52bf7a1c56d17fecfcbe4322a226d7c0 jq-debugsource-1.7.1-11.el10_1.0.2.s390x.rpm SHA-256: b84858f1b47b4472cdeb00b1b4f9695b522203227ddcce18a3db7fa8c8ddd7e2 jq-devel-1.7.1-11.el10_1.0.2.s390x.rpm SHA-256: 4b5c31ebe2f61b730c432c6b345fd9a3bb182d566270e9c41f33690b654d6f42 The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .