Description
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
Published: 2026-04-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based Buffer Overflow
Action: Patch
AI Analysis

Impact

The flaw stems from an integer overflow in the jvp_string_append() and jvp_string_copy_replace_bad functions of jq when concatenating strings whose total length exceeds 2^31 bytes. The overflow causes the buffer allocation size calculation to under‑allocate the heap buffer, after which a subsequent memory copy writes the full string into this undersized buffer. The result is a heap buffer overflow classified as CWE‑190 and CWE‑122. An attacker can craft jq queries that trigger the overflow, potentially crashing the process or creating conditions for further exploitation through heap corruption.

Affected Systems

jq, the command‑line JSON processor from the JQ language community, is affected in all releases through version 1.8.1. Any system that evaluates untrusted jq queries is at risk, as the vulnerable code paths are exercised by user‑supplied query input.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score is not available, so the current exploitation probability is unknown, but the lack of mitigation instructions and the potential to crash or corrupt memory make it a serious threat. The vulnerability is not listed in CISA’s KEV catalog, indicating no widespread exploitation yet. The likely attack vector is the supply of malicious jq queries via user input, scripts, or configuration files, which directly trigger the overflow.

Generated by OpenCVE AI on April 13, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update jq to a version newer than 1.8.1 or apply the patch from commit e47e56d226519635768e6aab2f38f0ab037c09e5
  • If an upgrade is not immediately feasible, limit jq usage to trusted input, run it in a restricted environment, and monitor for abnormal crashes

Generated by OpenCVE AI on April 13, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8202-2 jq vulnerabilities
History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jqlang:jq:*:*:*:*:*:*:*:*

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Jqlang
Jqlang jq
Vendors & Products Jqlang
Jqlang jq

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.
Title jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow
Weaknesses CWE-122
CWE-190
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Jqlang Jq
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T18:56:54.199Z

Reserved: 2026-03-11T21:16:21.660Z

Link: CVE-2026-32316

cve-icon Vulnrichment

Updated: 2026-04-13T18:56:50.422Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T18:16:29.420

Modified: 2026-04-22T16:29:09.383

Link: CVE-2026-32316

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-13T17:49:34Z

Links: CVE-2026-32316 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:45Z

Weaknesses