Ubuntu Patches jq Regression After Security Fix Rollout

Ubuntu released a follow-up security update (USN-8202-3) to address unintended side effects from the initial jq vulnerability patches distributed in USN-8202-1. The regression impacted Ubuntu 18.04 LTS and 20.04 LTS users, causing operational issues despite the patches addressing serious security flaws.

The original advisory covered three distinct vulnerabilities in jq, a command-line JSON processor widely used in infrastructure automation and data processing pipelines. These flaws ranged from improper string concatenation handling to recursion logic errors and malformed string parsing, each capable of triggering denial-of-service conditions or arbitrary code execution.

Original Vulnerabilities Fixed

• CVE-2026-32316: Incorrect string concatenation handling allowing DoS or code execution
• CVE-2026-33947: Recursion handling flaw enabling denial-of-service attacks
• CVE-2026-33948: Improper termination string parsing leading to DoS or arbitrary code execution
• Patches applied across Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04, and 25.10 releases

Regression Impact and Resolution

• USN-8202-1 patches introduced unexpected behavior on Ubuntu 18.04 LTS and 20.04 LTS systems
• USN-8202-3 corrects the regression while preserving all original security fixes
• Organizations running affected LTS versions should apply the updated patch immediately
• Regression fixes ensure jq functionality remains intact for production JSON processing workflows

Sources

• USN-8202-3: jq regression