{"id":"USN-8202-1","summary":"jq vulnerabilities","details":"It was discovered that jq did not correctly handle certain string\nconcatenations. An attacker could possibly use this issue to cause a denial\nof service or execute arbitrary code. This issue was addressed in Ubuntu\n16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu\n24.04 LTS and Ubuntu 25.10. (CVE-2026-32316)\n\nIt was discovered that jq did not correctly handle recursion in certain\ncircumstances. An attacker could possibly use this issue to cause a denial\nof service. (CVE-2026-33947)\n\nIt was discovered that jq did not correctly handle improperly terminated\nstrings. An attacker could possibly use this issue to cause a denial of\nservice or execute arbitrary code. This issue was addressed in Ubuntu 16.04\nLTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS\nand Ubuntu 25.10. (CVE-2026-33948)\n\nIt was discovered that jq did not correctly handle checking certain\nvariable types. An attacker could possibly use this issue to cause a denial\nof service or leak sensitive information. This issue was addressed in\nUbuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,\nUbuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-39956)\n\nIt was discovered that jq did not correctly handle certain string\nformatting. An attacker could possibly use this issue to leak sensitive\ninformation or cause a denial of service. (CVE-2026-39979)\n\nIt was discovered that jq used a fixed seed for hash table operations. An\nattacker could possibly use this issue to cause a denial of service. This\nissue was addressed in Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04\nLTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-40164)","modified":"2026-04-27T19:02:47.400897566Z","published":"2026-04-23T07:35:38Z","upstream":["CVE-2026-32316","CVE-2026-33947","CVE-2026-33948","CVE-2026-39956","CVE-2026-39979","CVE-2026-40164","UBUNTU-CVE-2026-32316","UBUNTU-CVE-2026-33947","UBUNTU-CVE-2026-33948","UBUNTU-CVE-2026-39956","UBUNTU-CVE-2026-39979","UBUNTU-CVE-2026-40164"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8202-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-32316"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-33947"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-33948"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39956"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-39979"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40164"}],"affected":[{"package":{"name":"jq","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm4?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3-1.1ubuntu1.1+esm4"}]}],"versions":["1.2-8","1.3-1","1.3-1.1ubuntu1","1.3-1.1ubuntu1.1","1.3-1.1ubuntu1.1+esm3"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.3-1.1ubuntu1.1+esm4"}],"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:14.04:LTS"}}},{"package":{"name":"jq","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm4?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5+dfsg-1ubuntu0.1+esm4"}]}],"versions":["1.4-2.1","1.5+dfsg-1","1.5+dfsg-1ubuntu0.1","1.5+dfsg-1ubuntu0.1+esm2","1.5+dfsg-1ubuntu0.1+esm3"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.5+dfsg-1ubuntu0.1+esm4"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"jq","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5+dfsg-2ubuntu0.1~esm2"}]}],"versions":["1.5+dfsg-2","1.5+dfsg-2ubuntu0.1~esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.5+dfsg-2ubuntu0.1~esm2"},{"binary_name":"libjq1","binary_version":"1.5+dfsg-2ubuntu0.1~esm2"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"jq","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm2?arch=source&distro=esm-infra/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6-1ubuntu0.20.04.1+esm2"}]}],"versions":["1.5+dfsg-2build1","1.6-1","1.6-1ubuntu0.20.04.1","1.6-1ubuntu0.20.04.1+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.6-1ubuntu0.20.04.1+esm2"},{"binary_name":"libjq1","binary_version":"1.6-1ubuntu0.20.04.1+esm2"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"jq","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6-2.1ubuntu3.2"}]}],"versions":["1.6-2.1ubuntu2","1.6-2.1ubuntu3","1.6-2.1ubuntu3.1"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.6-2.1ubuntu3.2"},{"binary_name":"libjq1","binary_version":"1.6-2.1ubuntu3.2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:22.04:LTS"}}},{"package":{"name":"jq","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.7.1-3ubuntu0.24.04.2"}]}],"versions":["1.6-3","1.7-1","1.7.1-2","1.7.1-3","1.7.1-3build1","1.7.1-3ubuntu0.24.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.7.1-3ubuntu0.24.04.2"},{"binary_name":"libjq1","binary_version":"1.7.1-3ubuntu0.24.04.2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:24.04:LTS"}}},{"package":{"name":"jq","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/jq@1.8.1-3ubuntu1.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.1-3ubuntu1.1"}]}],"versions":["1.7.1-3ubuntu1","1.7.1-6ubuntu1","1.8.1-3ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"jq","binary_version":"1.8.1-3ubuntu1.1"},{"binary_name":"libjq1","binary_version":"1.8.1-3ubuntu1.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8202-1.json","cves_map":{"cves":[],"ecosystem":"Ubuntu:25.10"}}}],"schema_version":"1.7.5"}