Bug 2458077 (CVE-2026-39979)

Summary: CVE-2026-39979 jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, amctagga, aoconnor, bniver, crizzo, dschmidt, erezende, flucifre, gmeno, groman, jlanda, jmitchel, kshier, mbenjamin, mhackett, pbohmill, rhel-process-autobot, simaishi, smcdonal, sostapov, stcannon, teagle, vereddy, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the `jv_parse_sized` function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the error message generated by the parser.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2458400    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-13 23:01:25 UTC 
jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.
Comment 2 errata-xmlrpc 2026-05-12 15:56:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:16252 https://access.redhat.com/errata/RHSA-2026:16252
Comment 3 errata-xmlrpc 2026-05-13 01:56:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:16693 https://access.redhat.com/errata/RHSA-2026:16693
Comment 4 errata-xmlrpc 2026-05-13 01:59:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:16692 https://access.redhat.com/errata/RHSA-2026:16692
Comment 5 errata-xmlrpc 2026-05-18 11:49:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:18045 https://access.redhat.com/errata/RHSA-2026:18045
Comment 6 errata-xmlrpc 2026-05-18 11:57:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:18044 https://access.redhat.com/errata/RHSA-2026:18044
Comment 7 errata-xmlrpc 2026-05-18 12:00:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:18042 https://access.redhat.com/errata/RHSA-2026:18042
Comment 8 errata-xmlrpc 2026-05-18 12:01:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:18046 https://access.redhat.com/errata/RHSA-2026:18046
Comment 9 errata-xmlrpc 2026-05-18 12:08:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:18040 https://access.redhat.com/errata/RHSA-2026:18040
Comment 10 errata-xmlrpc 2026-05-18 12:08:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:18048 https://access.redhat.com/errata/RHSA-2026:18048
Comment 11 errata-xmlrpc 2026-05-18 12:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:18047 https://access.redhat.com/errata/RHSA-2026:18047
Comment 12 errata-xmlrpc 2026-05-18 12:30:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:18043 https://access.redhat.com/errata/RHSA-2026:18043
Comment 13 errata-xmlrpc 2026-05-19 16:09:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:19151 https://access.redhat.com/errata/RHSA-2026:19151
Comment 14 errata-xmlrpc 2026-05-19 21:40:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:19365 https://access.redhat.com/errata/RHSA-2026:19365