{ "schema_version": "1.7.0", "id": "MGASA-2026-0188", "published": "2026-06-10T05:07:06Z", "modified": "2026-06-10T04:04:29Z", "summary": "Updated jq packages fix security vulnerabilities", "details": "An integer overflow arises when assigning value using an index of\n2147483647, the signed integer limit. This causes a denial of service.\n(CVE-2024-23337)\nIt was discovered that jq did not correctly handle certain string\nconcatenations. An attacker could possibly use this issue to cause a\ndenial of service or execute arbitrary code. (CVE-2026-32316)\nIt was discovered that jq did not correctly handle recursion in certain\ncircumstances. An attacker could possibly use this issue to cause a\ndenial of service. (CVE-2026-33947)\nIt was discovered that jq did not correctly handle improperly terminated\nstrings. An attacker could possibly use this issue to cause a denial of\nservice or execute arbitrary code. (CVE-2026-33948)\nIt was discovered that jq did not correctly handle checking certain\nvariable types. An attacker could possibly use this issue to cause a\ndenial of service or leak sensitive information. (CVE-2026-39956)\nIt was discovered that jq did not correctly handle certain string\nformatting. An attacker could possibly use this issue to leak sensitive\ninformation or cause a denial of service. (CVE-2026-39979)\nIt was discovered that jq used a fixed seed for hash table operations.\nAn attacker could possibly use this issue to cause a denial of service.\n(CVE-2026-40164)\nA heap-buffer-overflow is present in function `jv_string_vfmt` in the\njq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c,\nline 1456 `void* p = malloc(sz); (CVE-2025-48060)\nTop-level jq programs loaded from a file with -f are truncated at the\nfirst embedded NUL byte on current upstream HEAD. A crafted filter file\nsuch as . followed by \\x00 and arbitrary suffix compiles and executes as\nonly the prefix before the NUL. This leaves jq with a\npost-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path\neven though the JSON parser path has already been fixed.\n(CVE-2026-41256)\nThe ordinary module loader recurses without cycle detection when two\notherwise valid modules include each other (CVE-2026-44777)\n", "upstream": [ "CVE-2024-23337", "CVE-2025-48060", "CVE-2026-32316", "CVE-2026-39979", "CVE-2026-33948", "CVE-2026-33947", "CVE-2026-39956", "CVE-2026-40164" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2026-0188.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=34443" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2026/04/15/8" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29" }, { "type": "ADVISORY", "url": "https://github.com/jqlang/jq/security/advisories/GHSA-gf4g-95wj-4q4r" } ], "affected": [ { "package": { "ecosystem": "Mageia:9", "name": "jq", "purl": "pkg:rpm/mageia/jq?arch=source&distro=mageia-9" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.6-3.1.mga9" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }