Integer Overflow and Buffer Overflow in jq JSON Processor
CVE-2026-32316

8.2HIGH

Key Information:

Vendor: Jqlang
Status: Jq
Vendor: CVE Published:; 13 April 2026

What is CVE-2026-32316?

An integer overflow vulnerability exists in the jq JSON processor through version 1.8.1, notably within the jvp_string_append() and jvp_string_copy_replace_bad functions. This flaw arises when concatenating strings that exceed a combined length of 2^31 bytes, leading to a significant buffer allocation miscalculation. As a result, an undersized heap buffer is created, and memory operations may inadvertently write beyond this buffer, causing a heap-based buffer overflow. This vulnerability allows attackers to crash affected systems or exploit the heap corruption, particularly affecting systems that process untrusted jq queries. The root cause stems from the lack of proper size bounds checking for strings, contrasting with established limits for arrays and objects. Mitigations have been implemented in a recent update.

Affected Version(s)

jq < e47e56d226519635768e6aab2f38f0ab037c09e5

References

https://github.com/jqlang/jq/security/advisories/GHSA-q3h...

x_refsource_CONFIRM

https://github.com/jqlang/jq/commit/e47e56d226519635768e6...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 13, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32316 Data

JSON

Jqlang

What is CVE-2026-32316?

Affected Version(s)

References

CVSS V3.1

Timeline