[USN-8202-2] jq vulnerabilities

Mon, 27 Apr 2026 23:05:56 -0700 

==========================================================================
Ubuntu Security Notice USN-8202-2
April 28, 2026

jq vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:


Summary:

Several security issues were fixed in jq.

Software Description:

Details:

USN-8202-1 fixed vulnerabilities in jq. This update provides the
corresponding update to Ubuntu 26.04 LTS.

Original advisory details:

 It was discovered that jq did not correctly handle certain string
 concatenations. An attacker could possibly use this issue to cause a
 denial  of service or execute arbitrary code. (CVE-2026-32316)

 It was discovered that jq did not correctly handle recursion in certain
 circumstances. An attacker could possibly use this issue to cause a denial
 of service. (CVE-2026-33947)

 It was discovered that jq did not correctly handle improperly terminated
 strings. An attacker could possibly use this issue to cause a denial of
 service or execute arbitrary code. (CVE-2026-33948)

 It was discovered that jq did not correctly handle checking certain
 variable types. An attacker could possibly use this issue to cause a
 denial  of service or leak sensitive information. (CVE-2026-39956)

 It was discovered that jq did not correctly handle certain string
 formatting. An attacker could possibly use this issue to leak sensitive
 information or cause a denial of service. (CVE-2026-39979)

 It was discovered that jq used a fixed seed for hash table operations. An
 attacker could possibly use this issue to cause a denial of service.
 (CVE-2026-40164)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8202-2
  https://ubuntu.com/security/notices/USN-8202-1
  CVE-2026-32316, CVE-2026-33947, CVE-2026-33948, CVE-2026-39956,
  CVE-2026-39979, CVE-2026-40164

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to