CVE-2026-32316
Published: 13 April 2026
Summary
CVE-2026-32316 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Jqlang Jq. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-32316 is an integer overflow vulnerability in the jq command-line JSON processor, affecting versions through 1.8.1. The issue resides in the jvp_string_append() and jvp_string_copy_replace_bad() functions, where concatenating strings with a combined length exceeding 2^31 bytes triggers a 32-bit unsigned integer overflow during buffer allocation size calculation. This results in a drastically undersized heap buffer, followed by memory copy operations that write full string data into it, causing a heap-based buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Unlike arrays and objects, which have size limits, string handling lacked bounds checking.
The vulnerability can be exploited by any attacker who can supply untrusted jq queries to a vulnerable system, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) indicating network accessibility, low attack complexity, no privileges required, and high availability impact. Exploitation involves crafting queries that generate extremely large strings, enabling process crashes or potential heap corruption for further compromise, such as code execution.
Mitigation is available via the patch in commit e47e56d226519635768e6aab2f38f0ab037c09e5, as detailed in the jq security advisory GHSA-q3h9-m34w-h76f. Security practitioners should update to a patched version of jq and avoid evaluating untrusted queries on affected systems.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22039
Vulnerability details
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation…
more
size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow in jq enables remote supply of malicious queries/input to trigger heap buffer overflow for code execution or DoS; directly maps to exploitation of public-facing apps (AV:N), client software, privilege escalation via RCE, and application exploitation for availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching and flaw remediation for the integer overflow leading to heap buffer overflow in jq versions through 1.8.1.
Provides memory protection mechanisms such as address space layout randomization and heap guards to mitigate exploitation of the heap buffer overflow.
Enforces validation of untrusted JSON inputs to jq to block excessively large strings that trigger the integer overflow during concatenation.