Cyber Resilience

CVE-2026-32316

HighPublic PoC

Published: 13 April 2026

Published
13 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0048 37.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32316 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Jqlang Jq. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32316 is an integer overflow vulnerability in the jq command-line JSON processor, affecting versions through 1.8.1. The issue resides in the jvp_string_append() and jvp_string_copy_replace_bad() functions, where concatenating strings with a combined length exceeding 2^31 bytes triggers a 32-bit unsigned integer overflow during buffer allocation size calculation. This results in a drastically undersized heap buffer, followed by memory copy operations that write full string data into it, causing a heap-based buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Unlike arrays and objects, which have size limits, string handling lacked bounds checking.

The vulnerability can be exploited by any attacker who can supply untrusted jq queries to a vulnerable system, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) indicating network accessibility, low attack complexity, no privileges required, and high availability impact. Exploitation involves crafting queries that generate extremely large strings, enabling process crashes or potential heap corruption for further compromise, such as code execution.

Mitigation is available via the patch in commit e47e56d226519635768e6aab2f38f0ab037c09e5, as detailed in the jq security advisory GHSA-q3h9-m34w-h76f. Security practitioners should update to a patched version of jq and avoid evaluating untrusted queries on affected systems.

EU & UK References

Vulnerability details

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation…

more

size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow in jq enables remote supply of malicious queries/input to trigger heap buffer overflow for code execution or DoS; directly maps to exploitation of public-facing apps (AV:N), client software, privilege escalation via RCE, and application exploitation for availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-53427Same product: Jqlang Jq
CVE-2026-44983Shared CWE-122, CWE-190
CVE-2026-25897Shared CWE-122, CWE-190
CVE-2026-26111Shared CWE-122, CWE-190
CVE-2026-30909Shared CWE-190
CVE-2026-44636Shared CWE-122, CWE-190
CVE-2026-48690Shared CWE-122, CWE-190
CVE-2026-33020Shared CWE-122, CWE-190
CVE-2026-48691Shared CWE-122, CWE-190
CVE-2026-8631Shared CWE-122, CWE-190

Affected Assets

jqlang
jq
≤ 1.8.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching and flaw remediation for the integer overflow leading to heap buffer overflow in jq versions through 1.8.1.

prevent

Provides memory protection mechanisms such as address space layout randomization and heap guards to mitigate exploitation of the heap buffer overflow.

prevent

Enforces validation of untrusted JSON inputs to jq to block excessively large strings that trigger the integer overflow during concatenation.

References