CVE-2026-32316Heap-based Buffer Overflow in JQ

CWE-122Heap-based Buffer OverflowCWE-190Integer Overflow or Wraparound6 documents5 sources
Severity
8.2HIGHNVD
EPSS
0.0%
top 87.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jqlang JQ
Timeline
PublishedApr 13

Description

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer o

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages1 packages

CVEListV5jqlang/jq< e47e56d226519635768e6aab2f38f0ab037c09e5

🔴Vulnerability Details

2
CVEList
jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow2026-04-13
VulDB
jqlang jq up to 1.8.1 jvp_string_append/jvp_string_copy_replace_bad heap-based overflow (GHSA-q3h9-m34w-h76f)2026-04-13

📋Vendor Advisories

1
Red Hat
jq: jq: Denial of Service or potential arbitrary code execution due to integer overflow and heap-based buffer overflow2026-04-13

💬Community

2
Bugzilla
CVE-2026-32316 jq: jq: Denial of Service or potential arbitrary code execution due to integer overflow and heap-based buffer overflow [fedora-all]2026-04-13
Bugzilla
CVE-2026-32316 jq: jq: Denial of Service or potential arbitrary code execution due to integer overflow and heap-based buffer overflow2026-04-13
CVE-2026-32316 — Heap-based Buffer Overflow in JQ | cvebase