{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/tuxcare9.6esu/vex/2025/cve-2025-9403-els_os-tuxcare9_6esu.json" } ], "tracking": { "current_release_date": "2026-05-07T11:53:32Z", "generator": { "date": "2026-05-07T11:53:32Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2025-9403-ELS_OS-TUXCARE9.6ESU", "initial_release_date": "2025-08-25T03:15:00Z", "revision_history": [ { "date": "2025-08-25T03:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-05-07T11:53:32Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2025-9403" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.6", "product": { "name": "AlmaLinux 9.6", "product_id": "AlmaLinux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Rocky Linux 9.6", "product": { "name": "Rocky Linux 9.6", "product_id": "Rocky Linux-9.6", "product_identification_helper": { "cpe": "cpe:2.3:o:resf:rocky_linux:9.6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Rocky Linux" } ], "category": "vendor", "name": "Rocky Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "product": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "product_id": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-17.el9_6.2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "product": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "product_id": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-17.el9_6.2.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "product": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "product_id": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-17.el9_6.2.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "product": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "product_id": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-17.el9_6.2.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "product": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "product_id": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-17.el9_6.2.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "product": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "product_id": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq@1.6-17.el9_6.2.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "product": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "product_id": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-17.el9_6.2.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "product": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "product_id": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/jq-devel@1.6-17.el9_6.2.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686 as a component of AlmaLinux 9.6", "product_id": "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "relates_to_product_reference": "AlmaLinux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686" }, "product_reference": "jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "relates_to_product_reference": "Rocky Linux-9.6" }, { "category": "default_component_of", "full_product_name": { "name": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686 as a component of Rocky Linux 9.6", "product_id": "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686" }, "product_reference": "jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "relates_to_product_reference": "Rocky Linux-9.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-9403", "cwe": { "id": "CWE-617", "name": "Reachable Assertion" }, "notes": [ { "category": "description", "text": "A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "other", "text": "TuxCare has assessed that this vulnerability does not impact any currently supported TuxCare products. This evaluation may change as new information becomes available. For additional details regarding this vulnerability and affected products, refer to the provided references.", "title": "Statement" } ], "product_status": { "known_not_affected": [ "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-9403" }, { "category": "external", "summary": "https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing", "url": "https://drive.google.com/file/d/1r8m9PhU_rk-QPj6OMcs415FcvWPD-zJY/view?usp=sharing" }, { "category": "external", "summary": "https://github.com/jqlang/jq/issues/3393", "url": "https://github.com/jqlang/jq/issues/3393" }, { "category": "external", "summary": "https://vuldb.com/?ctiid.321239", "url": "https://vuldb.com/?ctiid.321239" }, { "category": "external", "summary": "https://vuldb.com/?id.321239", "url": "https://vuldb.com/?id.321239" }, { "category": "external", "summary": "https://vuldb.com/?submit.633170", "url": "https://vuldb.com/?submit.633170" } ], "release_date": "2025-08-25T03:15:00Z", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" }, { "category": "impact", "details": "CVE-2025-9403 is confined to jq’s internal test harness (run_jq_tests in jq_test.c) and is only reachable when the binary is run with the explicit --run-tests option; normal jq usage and scripts do not execute this path. It requires local access and crafted test input, and the only outcome is an assertion-triggered process abort (availability impact only) with no effect on confidentiality, integrity, remote access, or privilege elevation. In centrally managed server/VM environments where jq is used as a JSON processor rather than to execute its test suite, this presents negligible practical risk and can be safely deprioritized.", "product_ids": [ "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "AlmaLinux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "AlmaLinux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.i686", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.i686", "Rocky Linux-9.6:jq-0:1.6-17.el9_6.2.tuxcare.els2.x86_64", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.i686", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els1.x86_64", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.i686", "Rocky Linux-9.6:jq-devel-0:1.6-17.el9_6.2.tuxcare.els2.x86_64" ] } ] } ] }