Updated jq packages fix security vulnerabilities
Publication date: 10 Jun 2026Modification date: 10 Jun 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-23337 , CVE-2025-48060 , CVE-2026-32316 , CVE-2026-39979 , CVE-2026-33948 , CVE-2026-33947 , CVE-2026-39956 , CVE-2026-40164
Description
An integer overflow arises when assigning value using an index of
2147483647, the signed integer limit. This causes a denial of service.
(CVE-2024-23337)
It was discovered that jq did not correctly handle certain string
concatenations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-32316)
It was discovered that jq did not correctly handle recursion in certain
circumstances. An attacker could possibly use this issue to cause a
denial of service. (CVE-2026-33947)
It was discovered that jq did not correctly handle improperly terminated
strings. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2026-33948)
It was discovered that jq did not correctly handle checking certain
variable types. An attacker could possibly use this issue to cause a
denial of service or leak sensitive information. (CVE-2026-39956)
It was discovered that jq did not correctly handle certain string
formatting. An attacker could possibly use this issue to leak sensitive
information or cause a denial of service. (CVE-2026-39979)
It was discovered that jq used a fixed seed for hash table operations.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2026-40164)
A heap-buffer-overflow is present in function `jv_string_vfmt` in the
jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c,
line 1456 `void* p = malloc(sz); (CVE-2025-48060)
Top-level jq programs loaded from a file with -f are truncated at the
first embedded NUL byte on current upstream HEAD. A crafted filter file
such as . followed by \x00 and arbitrary suffix compiles and executes as
only the prefix before the NUL. This leaves jq with a
post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path
even though the JSON parser path has already been fixed.
(CVE-2026-41256)
The ordinary module loader recurses without cycle detection when two
otherwise valid modules include each other (CVE-2026-44777)
References
- https://bugs.mageia.org/show_bug.cgi?id=34443
- https://www.openwall.com/lists/oss-security/2026/04/15/8
- https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f
- https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p
- https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9
- https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg
- https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28
- https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29
- https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r
- https://www.cve.org/CVERecord?id=CVE-2024-23337
- https://www.cve.org/CVERecord?id=CVE-2025-48060
- https://www.cve.org/CVERecord?id=CVE-2026-32316
- https://www.cve.org/CVERecord?id=CVE-2026-39979
- https://www.cve.org/CVERecord?id=CVE-2026-33948
- https://www.cve.org/CVERecord?id=CVE-2026-33947
- https://www.cve.org/CVERecord?id=CVE-2026-39956
- https://www.cve.org/CVERecord?id=CVE-2026-40164
SRPMS
9/core
- jq-1.6-3.1.mga9