CVE-2026-32316 | jqlang jq up to 1.8.1 jvp_string_append/jvp_string_copy_replace_bad heap-based overflow (GHSA-q3h9-m34w-h76f)

VDB-357204 · CVE-2026-32316 · GHSA-Q3H9-M34W-H76F JQLANG JQ UP TO 1.8.1 JVP_STRING_APPEND/JVP_STRING_COPY_REPLACE_BAD HEAP-BASED OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.6 $0-$5k 0.91+ Summaryinfo A vulnerability categorized as critical has been discovered in jqlang jq up to 1.8.1. Affected by this issue is the function jvp_string_append/jvp_string_copy_replace_bad. The manipulation results in heap-based overflow. This vulnerability is cataloged as CVE-2026-32316. The attack may be launched remotely. There is no exploit available. It is advisable to implement a patch to correct this issue. Detailsinfo A vulnerability, which was classified as critical, was found in jqlang jq up to 1.8.1. Affected is the function jvp_string_append/jvp_string_copy_replace_bad. The manipulation with an unknown input leads to a heap-based overflow vulnerability. CWE is classifying the issue as CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes: jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-32316 since 03/11/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are known technical details, but no exploit is available. Applying the patch e47e56d226519635768e6aab2f38f0ab037c09e5 is able to eliminate this problem. The bugfix is ready for download at github.com. Productinfo Vendor jqlang Name jq Version 1.8.0 1.8.1 License open-source Website Product: https://github.com/jqlang/jq/ CPE 2.3info 🔒 🔒 CPE 2.2info 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 7.7 VulDB Meta Temp Score: 7.6 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 8.2 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Heap-based overflow CWE: CWE-122 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: e47e56d226519635768e6aab2f38f0ab037c09e5 Timelineinfo 03/11/2026 CVE reserved 04/13/2026 +32 days Advisory disclosed 04/13/2026 +0 days VulDB entry created 04/13/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-q3h9-m34w-h76f Status: Confirmed CVE: CVE-2026-32316 (🔒) GCVE (CVE): GCVE-0-2026-32316 GCVE (VulDB): GCVE-100-357204 Entryinfo Created: 04/13/2026 21:41 Changes: 04/13/2026 21:41 (66) Complete: 🔍 Cache ID: 99:231:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸