|
|
Log in / Subscribe / Register

Ubuntu alert USN-8202-3 (jq)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8202-3] jq regression


Date:
              Thu, 21 May 2026 07:38:49 +0000


Message-ID:
              <E1wPxzV-0005un-CZ@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8202-3
May 21, 2026

jq regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

USN-8202-1 introduced a regression in jq

Software Description:
- jq: lightweight and flexible command-line JSON processor

Details:

USN-8202-1 fixed vulnerabilities in jq. The update caused a regression
for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that jq did not correctly handle certain string
 concatenations. An attacker could possibly use this issue to cause a denial
 of service or execute arbitrary code. This issue was addressed in Ubuntu
 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu
 24.04 LTS and Ubuntu 25.10. (CVE-2026-32316)

 It was discovered that jq did not correctly handle recursion in certain
 circumstances. An attacker could possibly use this issue to cause a denial
 of service. (CVE-2026-33947)

 It was discovered that jq did not correctly handle improperly terminated
 strings. An attacker could possibly use this issue to cause a denial of
 service or execute arbitrary code. This issue was addressed in Ubuntu 16.04
 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
 and Ubuntu 25.10. (CVE-2026-33948)

 It was discovered that jq did not correctly handle checking certain
 variable types. An attacker could possibly use this issue to cause a denial
 of service or leak sensitive information. This issue was addressed in
 Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
 Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-39956)

 It was discovered that jq did not correctly handle certain string
 formatting. An attacker could possibly use this issue to leak sensitive
 information or cause a denial of service. (CVE-2026-39979)

 It was discovered that jq used a fixed seed for hash table operations. An
 attacker could possibly use this issue to cause a denial of service. This
 issue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04
 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-40164)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  jq                              1.6-1ubuntu0.20.04.1+esm3
                                  Available with Ubuntu Pro
  libjq-dev                       1.6-1ubuntu0.20.04.1+esm3
                                  Available with Ubuntu Pro
  libjq1                          1.6-1ubuntu0.20.04.1+esm3
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  jq                              1.5+dfsg-2ubuntu0.1~esm3
                                  Available with Ubuntu Pro
  libjq-dev                       1.5+dfsg-2ubuntu0.1~esm3
                                  Available with Ubuntu Pro
  libjq1                          1.5+dfsg-2ubuntu0.1~esm3
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8202-3
  https://ubuntu.com/security/notices/USN-8202-2
  https://ubuntu.com/security/notices/USN-8202-1
  CVE-2026-40164, https://bugs.launchpad.net/ubuntu/+source/jq/+bug/2152052




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoOtZ4ACgkQcpJm3tlz
hgGFvRAAi8yHDzXcDImLE4IKhQ6lTmUh5dnfei1AlPhjT1jS5bvqjOw7UyfRa0Sa
rbpwe0gz3TdCWaIc1JCInXh3ciQXB55mL8OImZzEyfruxBMjqJ7a64HIfRxTq0g8
AJ2KTveBQC5Nbl4IjRDuMM44rciLfPMa3Ct0525siaoPyn69/tF/w9LIBRdPtT6O
W5yiLFZXQQgOMwqtQnkmROz4mY9cTdAwX4hUiTxuATt/i5yxQ1NlkIUJZfdRPXNQ
85QWaDmpFmAY/MeC+cjDEyZSxsh0KcjcjPcI8bl0ye0Qx6bvRuPfruEHukGjzJfz
KXHStWhA6IIVf806KRFN8ZxmwLsDC9m3ubBx2uv9RDUTvxWCn5Xr3M+Mq09VW5+Q
6ysWD+kyEvurWdpyCRb7CFGDDSZBrlj+m2QNLOcXez+kKwYSuD4k0xwxO0k1Z7e3
JR4Ch9NRu3UKxG7Ae+pKT/v4L96MQq9tu/ehcDB1yg75I02s1dSfss4E0QVPgV5f
+0RLiOpQPWkUvKPr5QQy+BlJ5yMEMmV72r1dOWRoX67tB2CYVZS7zPv2UuoxleeD
KL7pvCSPpK+3Y3VzYQseTS/Fse3yg63C37OBm9nFmoxN99t3lXOSMF93uXIwioZD
guhwJq+8I0wRu4uDwEDw7r7ItE6WgYSivxSMshthgMwGWMK/b+M=
=JdDK
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds