CVE-2026-32316
Integer Overflow in jq Causes Heap Buffer Overflow Vulnerability
Publication date: 2026-04-13
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jqlang | jq | to 1.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-32316 is an integer overflow vulnerability in the jq command-line JSON processor, specifically in the functions jvp_string_append() and jvp_string_copy_replace_bad(). When concatenating very large strings whose combined length exceeds 2^31 bytes, the calculation for buffer allocation size overflows a 32-bit unsigned integer. This causes the program to allocate a much smaller buffer than needed.
Subsequently, memory copy operations write more data than the allocated buffer can hold, resulting in a heap buffer overflow. This vulnerability arises because strings in jq lack size bounds checking, unlike arrays and objects. An attacker can exploit this by crafting queries that produce extremely large strings, potentially crashing the jq process or causing heap corruption.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to crash any system or process that evaluates untrusted jq queries, leading to denial of service.
Additionally, heap corruption caused by the buffer overflow may enable further exploitation depending on the environment and memory allocator, potentially compromising system integrity.
Since jq is often used for processing JSON data, any application or service using vulnerable jq versions (up to 1.8.1) and processing untrusted input is at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when jq processes untrusted queries that concatenate strings with a combined length exceeding 2^31 bytes, causing integer overflow and heap buffer overflow. Detection involves monitoring jq usage for unusually large string operations or crashes.
There are no specific commands provided in the resources to detect this vulnerability directly on your system or network.
However, you can monitor jq process crashes or abnormal behavior when processing large JSON inputs, which may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update jq to a version that includes the fix for CVE-2026-32316.
The fix, introduced in commit e47e56d226519635768e6aab2f38f0ab037c09e5, adds overflow checks in the vulnerable functions to prevent unsafe memory operations.
If updating is not immediately possible, avoid processing untrusted jq queries that concatenate extremely large strings or handle very large JSON inputs.