Introduction
An integer overflow in jq's internal string handling functions allows an attacker to trigger a heap buffer overflow by crafting queries that concatenate strings beyond 2^31 bytes, crashing the process or potentially corrupting the heap for further exploitation. For any infrastructure that evaluates untrusted jq queries (CI/CD pipelines, API gateways, data transformation services), this CVSS 8.2 vulnerability represents a meaningful risk that warrants prompt attention.
jq is an open source, purely functional domain specific language for slicing, filtering, and transforming JSON data from the command line. Written in portable C, it is a ubiquitous utility across Linux, macOS, and Windows environments, embedded in countless automation scripts, container images, and cloud tooling. Its role as a foundational building block in data processing pipelines makes vulnerabilities in jq relevant well beyond its modest footprint as a single binary.
Technical Information
The vulnerability resides in two internal functions: jvp_string_append() and jvp_string_copy_replace_bad(). These functions handle string concatenation and replacement operations within jq's value processing layer. The core issue is that the buffer allocation size for the resulting string is computed using a 32 bit unsigned integer. When the combined length of the strings being concatenated exceeds 2^31 bytes, this calculation overflows, wrapping around to a small value.
The allocator then provisions a heap buffer based on this incorrect, drastically undersized value. The memory copy operations that follow do not use the truncated size; they use the actual, full length of the string data. This means the full payload is written into a buffer that is far too small, producing a classic heap buffer overflow.
This vulnerability chain is formally classified as CWE-190 (Integer Overflow or Wraparound) leading to CWE-122 (Heap based Buffer Overflow).
A key detail from the advisory is that jq already enforces size limits on arrays and objects. When CVE-2024-23337 was addressed in version 1.8.0, the maintainers introduced a cap of 2^29 elements for those data structures. However, strings were never given an equivalent bound. CVE-2026-32316 is the direct consequence of that gap.
Attack Flow
-
The attacker identifies a service, script, or endpoint that accepts and evaluates jq expressions from untrusted sources. This could be an API that uses jq for JSON transformation, a webhook processor, or a shared CI/CD pipeline.
-
The attacker crafts a jq query designed to produce a string whose length exceeds 2^31 bytes. This can be achieved through repeated string concatenation or multiplication operations within the jq expression language.
-
When the target system evaluates this query, the
jvp_string_append()orjvp_string_copy_replace_bad()function computes the required buffer size. The 32 bit unsigned integer overflows, resulting in a small allocation. -
The subsequent
memcpy(or equivalent) writes the full string data into the undersized heap buffer, corrupting adjacent heap metadata and data. -
The immediate result is typically a process crash (denial of service). Depending on the heap allocator, memory layout, and operating system, an attacker may be able to leverage the heap corruption for further exploitation.
The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) confirms that exploitation is network accessible, requires low complexity, no privileges, and no user interaction. The primary impact is high availability loss, with low integrity impact.
Affected Systems and Versions
All versions of jq through and including version 1.8.1 are affected. The fix is available in commit e47e56d226519635768e6aab2f38f0ab037c09e5 but has not yet been incorporated into a tagged release at the time of disclosure.
Any system that evaluates untrusted jq queries is vulnerable. This includes but is not limited to:
- Services or APIs that accept jq filter expressions from external users
- CI/CD pipelines where jq processes data from untrusted sources
- Container images and automation scripts using jq versions 1.8.1 or earlier
Vendor Security History
The jq project has addressed several memory safety vulnerabilities in recent releases, reflecting the inherent challenges of a C codebase that handles complex data parsing:
| Vulnerability | Version Addressed | Description |
|---|---|---|
| CVE-2023-50246 | 1.7.1 | Heap buffer overflow in number literal parsing |
| CVE-2024-23337 | 1.8.0 | Signed integer overflow in array and object functions; introduced 2^29 element size limits |
| CVE-2025-48060 | 1.8.0 | Heap buffer overflow in string formatting |
| CVE-2025-49014 | 1.8.1 | Heap use after free in time formatting functions |
The maintainers have been responsive to security reports, and the pattern of fixes shows a progressive hardening of the codebase. CVE-2026-32316 closes a gap that was left open when array and object size limits were introduced but string size limits were not.
