jq Integer Overflow: Heap Buffer Overflow Risks Untrusted Queries

The National Vulnerability Database (NVD) recently detailed CVE-2026-32316, a high-severity integer overflow in jq, the popular command-line JSON processor. This vulnerability, present in versions up to 1.8.1, stems from the jvp_string_append() and jvp_string_copy_replace_bad functions. Essentially, when jq concatenates strings whose combined length exceeds 2^31 bytes, a 32-bit unsigned integer overflow occurs during the buffer allocation size calculation.

This calculation error leads to a drastically undersized heap buffer. Subsequent memory copy operations then attempt to write the full, larger string data into this smaller buffer, triggering a heap-based buffer overflow (CWE-122). The root cause, as highlighted by the NVD, is a glaring absence of string size bounds checking—a safeguard already in place for arrays and objects within jq. Any system parsing untrusted jq queries is vulnerable, opening the door for attackers to crash processes or potentially achieve further exploitation through heap corruption by crafting specific, oversized string queries. The fix has been implemented in commit e47e56d226519635768e6aab2f38f0ab037c09e5.