VYPR

rpm package

almalinux/jq

pkg:rpm/almalinux/jq

Vulnerabilities (4)

  • CVE-2026-40164HigApr 14, 2026
    affected < 1.6-12.el8_10fixed 1.6-12.el8_10

    jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supp

  • CVE-2026-39979MedApr 13, 2026
    affected < 1.6-12.el8_10fixed 1.6-12.el8_10

    jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which r

  • CVE-2025-48060May 21, 2025
    affected < 1.6-17.el9_6.2fixed 1.6-17.el9_6.2

    jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication,

  • CVE-2024-23337May 21, 2025
    affected < 1.6-17.el9_6.2fixed 1.6-17.el9_6.2

    jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch fo