CVE-2026-32316: CWE-122: Heap-based Buffer Overflow in jqlang jq
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
AI Analysis
Technical Summary
CVE-2026-32316 is a heap-based buffer overflow vulnerability in jq versions before commit e47e56d226519635768e6aab2f38f0ab037c09e5. The flaw is caused by an integer overflow in the buffer allocation size calculation within the jvp_string_append() and jvp_string_copy_replace_bad functions when concatenating strings exceeding 2^31 bytes. This results in allocating a buffer that is too small, leading to a heap overflow when the full string data is copied. The root cause is the lack of string size bounds checking, unlike other jq data types. This vulnerability can cause denial of service via process crashes or potentially enable further exploitation through heap corruption. The issue has been addressed by the vendor in the specified commit.
Potential Impact
The vulnerability allows an attacker to crash the jq process by triggering a heap buffer overflow through crafted queries that produce extremely large strings. This can result in denial of service. Additionally, heap corruption caused by the overflow may allow further exploitation, although no known exploits are reported in the wild. The vulnerability does not directly impact confidentiality but affects integrity and availability.
Mitigation Recommendations
A fix for this vulnerability has been implemented in jq at commit e47e56d226519635768e6aab2f38f0ab037c09e5. Users should upgrade to a version including this commit or later to remediate the issue. Patch status is confirmed by the vendor commit reference. No other mitigation actions are indicated.
CVE-2026-32316: CWE-122: Heap-based Buffer Overflow in jqlang jq
Description
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32316 is a heap-based buffer overflow vulnerability in jq versions before commit e47e56d226519635768e6aab2f38f0ab037c09e5. The flaw is caused by an integer overflow in the buffer allocation size calculation within the jvp_string_append() and jvp_string_copy_replace_bad functions when concatenating strings exceeding 2^31 bytes. This results in allocating a buffer that is too small, leading to a heap overflow when the full string data is copied. The root cause is the lack of string size bounds checking, unlike other jq data types. This vulnerability can cause denial of service via process crashes or potentially enable further exploitation through heap corruption. The issue has been addressed by the vendor in the specified commit.
Potential Impact
The vulnerability allows an attacker to crash the jq process by triggering a heap buffer overflow through crafted queries that produce extremely large strings. This can result in denial of service. Additionally, heap corruption caused by the overflow may allow further exploitation, although no known exploits are reported in the wild. The vulnerability does not directly impact confidentiality but affects integrity and availability.
Mitigation Recommendations
A fix for this vulnerability has been implemented in jq at commit e47e56d226519635768e6aab2f38f0ab037c09e5. Users should upgrade to a version including this commit or later to remediate the issue. Patch status is confirmed by the vendor commit reference. No other mitigation actions are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T21:16:21.660Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd2f9182d89c981f2dce11
Added to database: 4/13/2026, 6:01:53 PM
Last enriched: 4/13/2026, 6:17:11 PM
Last updated: 4/13/2026, 8:04:40 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.