|
|
Log in / Subscribe / Register

Ubuntu alert USN-8202-2 (jq)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8202-2] jq vulnerabilities


Date:
              Tue, 28 Apr 2026 06:04:20 +0000


Message-ID:
              <E1wHbYS-0004c7-MY@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8202-2
April 28, 2026

jq vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:


Summary:

Several security issues were fixed in jq.

Software Description:

Details:

USN-8202-1 fixed vulnerabilities in jq. This update provides the
corresponding update to Ubuntu 26.04 LTS.

Original advisory details:

 It was discovered that jq did not correctly handle certain string
 concatenations. An attacker could possibly use this issue to cause a
 denial  of service or execute arbitrary code. (CVE-2026-32316)

 It was discovered that jq did not correctly handle recursion in certain
 circumstances. An attacker could possibly use this issue to cause a denial
 of service. (CVE-2026-33947)

 It was discovered that jq did not correctly handle improperly terminated
 strings. An attacker could possibly use this issue to cause a denial of
 service or execute arbitrary code. (CVE-2026-33948)

 It was discovered that jq did not correctly handle checking certain
 variable types. An attacker could possibly use this issue to cause a
 denial  of service or leak sensitive information. (CVE-2026-39956)

 It was discovered that jq did not correctly handle certain string
 formatting. An attacker could possibly use this issue to leak sensitive
 information or cause a denial of service. (CVE-2026-39979)

 It was discovered that jq used a fixed seed for hash table operations. An
 attacker could possibly use this issue to cause a denial of service.
 (CVE-2026-40164)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8202-2
  https://ubuntu.com/security/notices/USN-8202-1
  CVE-2026-32316, CVE-2026-33947, CVE-2026-33948, CVE-2026-39956,
  CVE-2026-39979, CVE-2026-40164




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmnwTXcACgkQcpJm3tlz
hgHqVA/9FwypFHjLP0bevBXwkRU7HZ34zly+uPS+GjRWxKuf+kp8tqd4UB8GEpO7
TxmTMa8lFQE++6kuDJqq7z2AwxOfffwfh/ge80LGlAbF5ZTz5EbFv7+MuOsopVk9
52iYtrPL17npGT1rC2wVsgYVuExm5HeZtc3pjWflZcw+3uw6CB02hhHdZjOoM5mw
oUv9infIXEZcNcinJ4Yr0E8YJOfkF+5azVaFznUU9mcXef4rDOJjZIaP0bVjuGth
dFu3Hi3djiQFwxSts0A6UnOMoF5a692Wd5OM2xwqjeFrjL1qqIT9kOYyIPt+ltKy
VRhnmLUBmN61i3QdSmGIr2Zu7JUI+KLyZyeq7U4v8C7mA06jam/zZvkjbxxNG6N4
g5LcowRh60XzY+daASLTOhvK4AW70qMM1b99zSD8CE9bfSBAQH4ipdwl4keoWg82
irBPRKMgrTdmVPd9A2xVo9w2Q9SxcqNQd/YhZm0vAThR0jlLc7m6szT6cBDSaq0X
mKKCU2SqmV7QKwblM0o8QuwHtDX243768kah+/DqNMmFPCNq860W0utOThUopPmA
nOIzgQ9aLi9v/XAo2JuCe5TxfWN3cyjlKSg/18w5U4gIdyqbKZqhicSnNmjsw3ll
uiyzeh6uC3CeswkKLDC/+Dn+G6aggeDuq8cMoH0+srBXGlfdN74=
=TUpa
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds