CVE-2026-32316: jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow

Published Apr 13, 2026
·
Updated

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.

Affected Software

4 affected componentsFixes available
JQ jq<=1.8.1
Microsoft azl3 jq 1.7.1-4
Patch available
jqlang jq<=1.8.1
Microsoft cbl2 jq 1.6-5
Patch available

Remediation

Patch Available

https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5

Patch Available

https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f

Event History

Apr 13, 2026
CVE Published
via MITRE·05:49 PM
Data Sourced
via MITRE·05:49 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 17, 2026
Data Sourced
via Microsoft·08:01 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:01 AM
Affected Software
Updated
via Microsoft·08:01 AM
DescriptionSeverity
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-32316?

The severity of CVE-2026-32316 is classified as high due to its potential for heap-based buffer overflow.

2

How do I fix CVE-2026-32316?

To fix CVE-2026-32316, update jq to version 1.8.2 or later.

3

Which versions of jq are affected by CVE-2026-32316?

CVE-2026-32316 affects jq versions up to and including 1.8.1.

4

What type of vulnerability is CVE-2026-32316?

CVE-2026-32316 is an integer overflow vulnerability that can lead to a heap-based buffer overflow.

5

Is CVE-2026-32316 present in Microsoft products using jq?

Yes, CVE-2026-32316 is present in certain Microsoft products that utilize affected versions of jq up to 1.8.1.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203