Skip to main content

Jq CVE-2026-32316

| EUVD-2026-22039 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-13 GitHub_M
Heap Overflow Buffer Overflow Jq
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
6.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Patch released
Apr 19, 2026 - 02:30 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:32 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 18:00 euvd
EUVD-2026-22039
Analysis Generated
Apr 13, 2026 - 18:00 vuln.today
CVE Published
Apr 13, 2026 - 17:49 nvd
HIGH 8.2

DescriptionGitHub Advisory

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.

AnalysisAI

Heap buffer overflow in jq command-line JSON processor (all versions through 1.8.1) allows remote unauthenticated attackers to crash processes or potentially achieve code execution via crafted queries producing strings exceeding 2^31 bytes. Integer overflow in jvp_string_append() and jvp_string_copy_replace_bad() functions causes undersized buffer allocation followed by heap corruption. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted jq query to target system
Exploit
Query triggers recursive string concatenation
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control or influence jq query input supplied to vulnerable systems. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk assessment reveals moderate-to-high severity with limited observed exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a public API endpoint that accepts user-supplied jq filter expressions to transform JSON responses. They craft a malicious query containing nested string concatenation operations designed to produce output exceeding 2^31 bytes, such as recursive string doubling via reduce expressions. …
Remediation Upstream fix available in commit e47e56d226519635768e6aab2f38f0ab037c09e5 which implements string size bounds checking aligned with existing array and object limits. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all systems running jq versions 1.8.1 and earlier, prioritizing internet-facing API endpoints and data processing services. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-32316 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy