{ "ticket_id": "CVE-2026-32316", "code_root": "external/jq", "source": { "type": "cve", "cve_id": "CVE-2026-32316", "ghsa_id": "GHSA-q3h9-m34w-h76f", "repo": "https://github.com/jqlang/jq" }, "facts": { "issue_summary": "jq's string concatenation path (jv_string_concat / jvp_string_new) computes the destination buffer size using a 32-bit unsigned arithmetic that overflows when the combined length of the inputs exceeds 2^31 bytes. The subsequent memcpy writes past the undersized heap buffer, corrupting the heap. A jq program that concatenates large attacker-supplied strings (e.g., 'add' over an array of large strings, or 'a + b' with crafted inputs) triggers the overflow.", "vulnerability_type": "Integer overflow leading to heap-based buffer overflow", "suspected_cwe": ["CWE-190", "CWE-122"], "affected_versions": "<= 1.8.1", "fixed_versions": ["1.8.2"], "reproduce_version": "1.8.1", "verify_fixed_version": "master (commit e47e56d226519635768e6aab2f38f0ab037c09e5 or later)", "repo_url": "https://github.com/jqlang/jq.git", "checkout_ref": "jq-1.8.1", "fix_commit": "e47e56d226519635768e6aab2f38f0ab037c09e5", "code_root": "external/jq", "attacker_access": "anyone able to control jq's input (e.g., a service that runs jq filters on user-supplied JSON)", "primary_entry_point": "jv_string_concat in src/jv.c, exercised by filter expressions like 'add' or 'a + b' on large strings", "build_hint": "autoreconf -i && ./configure --with-oniguruma=builtin --disable-shared && make -j", "trigger_hint": "Generate a JSON array of 4 strings each ~600MB, then run: jq -c 'add | length' big.json. On vulnerable build expect heap corruption / SIGSEGV / ASAN report; on fixed build expect graceful jq error (e.g., 'string concatenation too long' / out-of-memory error / clean exit).", "tested_under": "Compile both vulnerable and fixed jq with -fsanitize=address and run the trigger; AddressSanitizer reports a heap-buffer-overflow write on the vulnerable build only." } }