UBUNTU-CVE-2026-39979

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-39979

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-39979

Upstream

CVE-2026-39979

Downstream

USN-8202-1

USN-8202-2

Related

Published

2026-04-13T23:16:00Z

Modified

2026-05-20T16:25:38.510802597Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jvparsesized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jvstringfmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jvparsesized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.

References

Affected packages

Ubuntu:22.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6-2.1ubuntu3.2

Affected versions

1.*

1.6-2.1ubuntu2

1.6-2.1ubuntu3

1.6-2.1ubuntu3.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.6-2.1ubuntu3.2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.6-2.1ubuntu3.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:24.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.1-3ubuntu0.24.04.2

Affected versions

1.*

1.6-3

1.7-1

1.7.1-2

1.7.1-3

1.7.1-3build1

1.7.1-3ubuntu0.24.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.7.1-3ubuntu0.24.04.2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.7.1-3ubuntu0.24.04.2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:25.10

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1-3ubuntu1.1

Affected versions

1.*

1.7.1-3ubuntu1

1.7.1-6ubuntu1

1.8.1-3ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.8.1-3ubuntu1.1"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.8.1-3ubuntu1.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:26.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.1-4ubuntu2

Affected versions

1.*

1.8.1-3ubuntu1

1.8.1-4ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.8.1-4ubuntu2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.8.1-4ubuntu2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:Pro:14.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3-1.1ubuntu1.1+esm4

Affected versions

1.*

1.2-8

1.3-1

1.3-1.1ubuntu1

1.3-1.1ubuntu1.1

1.3-1.1ubuntu1.1+esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.3-1.1ubuntu1.1+esm4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:Pro:16.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5+dfsg-1ubuntu0.1+esm4

Affected versions

1.*

1.4-2.1

1.5+dfsg-1

1.5+dfsg-1ubuntu0.1

1.5+dfsg-1ubuntu0.1+esm2

1.5+dfsg-1ubuntu0.1+esm3

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.5+dfsg-1ubuntu0.1+esm4"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:Pro:18.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5+dfsg-2ubuntu0.1~esm2

Affected versions

1.*

1.5+dfsg-2

1.5+dfsg-2ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"

Ubuntu:Pro:20.04:LTS

Package

Name: jq
Purl: pkg:deb/ubuntu/jq?arch=source&distro=esm-infra%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6-1ubuntu0.20.04.1+esm2

Affected versions

1.*

1.5+dfsg-2build1

1.6-1

1.6-1ubuntu0.20.04.1

1.6-1ubuntu0.20.04.1+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_name": "jq",
            "binary_version": "1.6-1ubuntu0.20.04.1+esm2"
        },
        {
            "binary_name": "libjq1",
            "binary_version": "1.6-1ubuntu0.20.04.1+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-39979.json"