{
  "ticket_id": "CVE-2026-32316",
  "verdict": "CONFIRMED",
  "reproducible": true,
  "issue_type": "integer_overflow_heap_buffer_overflow",
  "root_cause": "jvp_string_append in src/jv.c uses uint32_t arithmetic to compute allocation size (currlen + len) * 2, which overflows when concatenated strings exceed INT_MAX bytes, causing memcpy to write into an undersized heap buffer.",
  "affected_component": "jq/src/jv.c - jvp_string_append / jv_string_concat",
  "vulnerable_version": "jq <= 1.8.1",
  "fixed_commit": "e47e56d226519635768e6aab2f38f0ab037c09e5",
  "trigger_input": "\"A\" * 1073741824 as $a | $a + $a",
  "vulnerable_behavior": {
    "exit_code": 1,
    "stderr_contains": "ERROR: AddressSanitizer: heap-buffer-overflow",
    "crash_location": "jvp_string_append src/jv.c:1191",
    "write_size": 1073741824,
    "allocated_region_size": 49
  },
  "fixed_behavior": {
    "exit_code": 5,
    "stderr_contains": "String too long",
    "sanity_check": "Gracefully rejects the oversized string instead of overflowing"
  },
  "evidence": {
    "asan_detected_overflow": true,
    "overflow_function": "jvp_string_append",
    "overflow_file": "src/jv.c",
    "overflow_line": 1191,
    "fix_adds_overflow_check": true,
    "fix_uses_64bit_comparison": true
  },
  "reproduction_script": "repro/reproduction_steps.sh",
  "logs": {
    "vulnerable_stderr": "logs/vulnerable_stderr.txt",
    "fixed_stderr": "logs/fixed_stderr.txt"
  },
  "confidence": "high",
  "notes": "The vulnerability was reproduced with AddressSanitizer which caught a heap-buffer-overflow of 1GB write into a 49-byte buffer. The fixed version correctly reports 'String too long' and exits cleanly."
}