{
  "variant_id": "CVE-2026-32316-variant-analysis",
  "created_at": "2026-05-28T00:00:00Z",
  "variant_summary": "Systematic variant analysis of CVE-2026-32316 (jq integer overflow in string concatenation). Four materially distinct alternate triggers were tested (add, join, reduce, interpolation). All reproduced on the vulnerable build (jq-1.8.1) and were caught by the fixed build (commit e47e56d). No bypass of the patch was found.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/jqlang/jq",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "1.8.1",
    "ref": "jq-1.8.1",
    "display": "jq-1.8.1 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "e47e56d226519635768e6aab2f38f0ab037c09e5",
    "version": "1.8.2",
    "display": "jq fixed commit e47e56d (master, post-1.8.1)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "string_concatenation",
  "validated_surface": "string_concatenation",
  "required_entrypoint_kind": "jq_builtin_and_operator",
  "required_entrypoint_detail": "add over array of strings, join, reduce with binop_plus (+), string interpolation (\\(...\\) syntax)",
  "attacker_controlled_input": "JSON string content and jq filter expressions that concatenate strings whose total byte length reaches or exceeds INT_MAX (2,147,483,647 bytes)",
  "trigger_path": "binop_plus (src/builtin.c:96) -> jv_string_concat (src/jv.c:1509) -> jvp_string_append (src/jv.c:1179)",
  "observed_impact_class": "heap_buffer_overflow",
  "exploitability_confidence": "high_on_vulnerable_none_on_fixed",
  "evidence_scope": "source_audit_and_runtime_testing",
  "runtime_manifest_present": false,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "mitigated_by_fix",
  "blocking_mitigation": "Commit e47e56d adds an INT_MAX overflow check to jvp_string_append and jvp_string_copy_replace_bad, which catches all tested variant entry points before the vulnerable memcpy executes.",
  "file_path": "src/jv.c",
  "line_start": 1179,
  "line_end": 1182,
  "secondary_anchors": [
    {
      "file_path": "src/jv.c",
      "line_start": 1118,
      "line_end": 1122
    },
    {
      "file_path": "src/builtin.c",
      "line_start": 96,
      "line_end": 98
    }
  ],
  "review_scope_paths": [
    "src/jv.c",
    "src/builtin.c",
    "src/builtin.jq",
    "src/jv_print.c",
    "src/jv_parse.c"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": null,
    "repro_log": "logs/",
    "root_cause_equivalence": null,
    "reproducer": [
      "vuln_variant/reproduction_steps.sh"
    ]
  }
}