{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-40164: randomize hash seed to mitigate hash collision DoS\n- CVE-2026-40612: limit containment check depth\n- CVE-2026-41256: fix NUL truncation in program files loaded with -f\n- CVE-2026-41257: fix signed-int overflow in stack_reallocate\n- CVE-2026-43894: cap numeric literal length to DEC_MAX_DIGITS\n- CVE-2026-43895: reject embedded NUL bytes in module import paths\n- CVE-2026-43896: limit recursive object merge depth\n- CVE-2026-44777: detect circular module imports", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1779123410.json" } ], "tracking": { "current_release_date": "2026-05-18T16:58:07Z", "generator": { "date": "2026-05-18T16:58:07Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1779123410", "initial_release_date": "2026-05-18T16:58:07Z", "revision_history": [ { "date": "2026-05-18T16:58:07Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "jq: Fix of 8 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els6.i686", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els6.i686", "product_id": "jq-0:1.6-14.el9.tuxcare.els6.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els6?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els6?arch=i686" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els4.i686", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els4.i686", "product_id": "jq-0:1.6-14.el9.tuxcare.els4.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els4?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els4?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els3?arch=i686" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els3.i686", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els3.i686", "product_id": "jq-0:1.6-14.el9.tuxcare.els3.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els3?arch=i686" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els2.i686", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els2.i686", "product_id": "jq-0:1.6-14.el9.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els1.i686", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els1.i686", "product_id": "jq-0:1.6-14.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els6.x86_64", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els6.x86_64", "product_id": "jq-0:1.6-14.el9.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els6?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els6?arch=x86_64" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els4.x86_64", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els4.x86_64", "product_id": "jq-0:1.6-14.el9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els4?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els3.x86_64", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els3.x86_64", "product_id": "jq-0:1.6-14.el9.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els2.x86_64", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els2.x86_64", "product_id": "jq-0:1.6-14.el9.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "jq-0:1.6-14.el9.tuxcare.els1.x86_64", "product": { "name": "jq-0:1.6-14.el9.tuxcare.els1.x86_64", "product_id": "jq-0:1.6-14.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-14.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "product": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "product_id": "jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-14.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els6.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els6.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els6.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els4.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els4.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els4.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els4.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els4.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els3.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els3.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els3.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els3.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els2.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els2.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els2.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-14.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64" }, "product_reference": "jq-0:1.6-14.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-14.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686" }, "product_reference": "jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-43894", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ā‰ˆ715 million 16-bit units (ā‰ˆ1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-43894" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-5v7p-2r57-2g4g" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-41256", "cwe": { "id": "CWE-158", "name": "Improper Neutralization of Null Byte or NUL Character" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \\x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-41256" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-vf2h-chrj-q3fg" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-43896", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-43896" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-mg96-6h3q-g846" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-43895", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens.", "title": "Vulnerability description" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-43895" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-7q7g-mrq3-phxr" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-44777", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two\notherwise valid modules include each other.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-44777" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-rmpv-jgvr-wpr9" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-40612", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.1 and earlier, jv_contains recurses into nested arrays/objects with no depth limit. With a sufficiently nested input structure (built programmatically with reduce, since the JSON parser caps at depth 10000), the C stack is exhausted.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-40612" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-r7m6-x9c7-h69j" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-39979", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-39979" }, { "category": "external", "summary": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f", "url": "https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p" } ], "release_date": "2026-04-13T23:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-04-13T23:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] }, { "cve": "CVE-2026-40164", "cwe": { "id": "CWE-341", "name": "Predictable from Observable State" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(nĀ²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-40164" } ], "release_date": "2026-04-13T23:40:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-04-13T23:40:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] }, { "cve": "CVE-2026-41257", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ā‰ˆ1 GiB (via deeply nested generator forks), the doubling arithmetic overflows. The wrapped value is passed to realloc and then used for a memmove with attacker-influenced offsets.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "known_affected": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-41257" }, { "category": "external", "summary": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-4jm8-m363-4539" } ], "release_date": "2026-05-11T18:16:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-05-18T16:56:53.149879Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1779123410" }, { "category": "none_available", "date": "2026-05-11T18:16:00Z", "details": "Affected", "product_ids": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els4.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els4.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-0:1.6-14.el9.tuxcare.els6.x86_64", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.i686", "AlmaLinux-9.2:jq-devel-0:1.6-14.el9.tuxcare.els6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }