{
  "ticket_id": "CVE-2026-32316",
  "variant_stage_verdict": "no_bypass_found",
  "verdict_timestamp": "2026-05-28T00:00:00Z",
  "variant_summary": "Four distinct alternate triggers for CVE-2026-32316 were tested on both the vulnerable (jq-1.8.1) and fixed (e47e56d) builds. All variants reproduced the heap-buffer-overflow on the vulnerable build and were gracefully rejected with 'String too long' on the fixed build. No bypass of the patch was discovered.",
  "tested_variants": [
    {
      "variant_id": 1,
      "name": "add over array of large strings",
      "trigger": "[\"A\" * 1073741824, \"A\" * 1073741824] | add",
      "vulnerable_reproduced": true,
      "fixed_bypassed": false,
      "fixed_behavior": "String too long error",
      "logs": {
        "vulnerable": "logs/variant1_vuln.txt",
        "fixed": "logs/variant1_fixed.txt"
      }
    },
    {
      "variant_id": 2,
      "name": "join over array of large strings",
      "trigger": "[\"A\" * 1073741824, \"A\" * 1073741824] | join(\"\")",
      "vulnerable_reproduced": true,
      "fixed_bypassed": false,
      "fixed_behavior": "String too long error",
      "logs": {
        "vulnerable": "logs/variant2_vuln.txt",
        "fixed": "logs/variant2_fixed.txt"
      }
    },
    {
      "variant_id": 3,
      "name": "incremental reduce building large string",
      "trigger": "reduce range(3) as $i (\"\"; . + \"A\" * 1000000000)",
      "vulnerable_reproduced": true,
      "fixed_bypassed": false,
      "fixed_behavior": "String too long error",
      "logs": {
        "vulnerable": "logs/variant3_vuln.txt",
        "fixed": "logs/variant3_fixed.txt"
      }
    },
    {
      "variant_id": 4,
      "name": "string interpolation with large strings",
      "trigger": "\"A\" * 1073741824 as $a | \"\\($a + $a)\"",
      "vulnerable_reproduced": true,
      "fixed_bypassed": false,
      "fixed_behavior": "String too long error",
      "logs": {
        "vulnerable": "logs/variant4_vuln.txt",
        "fixed": "logs/variant4_fixed.txt"
      }
    }
  ],
  "fix_coverage_assessment": "comprehensive_for_this_cve",
  "fix_commit": "e47e56d226519635768e6aab2f38f0ab037c09e5",
  "blocking_mitigation": "The fix adds an INT_MAX check to jvp_string_append and jvp_string_copy_replace_bad, which are the exclusive sinks for all string growth in jq. Therefore every downstream concatenation path (add, join, reduce, interpolation, formatting builtins, etc.) is protected.",
  "untested_or_infeasible_paths": [
    "gsub with expansion on multi-gigabyte strings (infeasibly slow due to Oniguruma regex scan of entire input)"
  ],
  "recommendations": [
    "Add INT_MAX guards to jvp_string_new and jvp_string_empty_new for defense-in-depth.",
    "Add regression tests for add/join/reduce concatenation near INT_MAX boundaries.",
    "Audit parser token buffer growth (jv_parse.c tokenlen*2+256) for separate integer overflow issues."
  ],
  "reproduction_script": "vuln_variant/reproduction_steps.sh",
  "script_exit_code_meaning": "Exit 1 = no bypass found (all variants caught by fix); Exit 0 = bypass reproduced on fixed build."
}