HCE3-SA-2025-0067 Important HCE 3.0 Security Fix(es): jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, the signed integer limit. This causes a denial of service. Commit de21386681c0df0104a99d9d09db23a9b2a78b1e contains a patch for the issue. (CVE-2024-23337) jq is a command-line JSON processor. In versions up to and including 1.7.1, a heap-buffer-overflow is present in function `jv_string_vfmt` in the jq_fuzz_execute harness from oss-fuzz. This crash happens on file jv.c, line 1456 `void* p = malloc(sz);`. As of time of publication, no patched versions are available. (CVE-2025-48060) jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function f_strflocaltime of /src/builtin.c. This issue has been patched in commit 499c91b, no known fix version exists at time of publication. (CVE-2025-49014) HCE 3.0 jq-1.8.0-2.hce3.x86_64.rpm jq-devel-1.8.0-2.hce3.x86_64.rpm jq-help-1.8.0-2.hce3.noarch.rpm jq-1.8.0-2.hce3.aarch64.rpm jq-devel-1.8.0-2.hce3.aarch64.rpm