Skip to content
Verified reproduction

CVE-2026-32316: jq: integer overflow in jv_string_concat triggers heap buffer overflow on large strings

CVE-2026-32316 is verified against jq · github affected versions: <= 1.8.1 fixed version: 1.8.2 vulnerability class: Buffer Overflow This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00170.

REPRO-2026-00170 jq · github Buffer Overflow Variant found May 28, 2026 CVE entry .txt
Severity HIGH
Confidence HIGH
Reproduced in 32m 33s
Tool calls 182
Spend $1.56
Affected <= 1.8.1
Fixed in 1.8.2
$ pruva-verify REPRO-2026-00170
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00170/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

jq's jv_string_concat (called by the + operator on strings and by add over an array of strings) computes the size of the destination buffer using a 32-bit int/uint32_t arithmetic. When the sum of the two input string lengths exceeds 2^31 bytes, the size computation wraps around, allocating a heap buffer much smaller than what's about to be written. The subsequent memcpy writes past the buffer, corrupting adjacent heap data — a classic CWE-190 → CWE-122 chain.

Any service that runs jq filters on attacker-controlled input (the common pattern in CI pipelines, log shippers, observability stacks, k8s admission webhooks, etc.) is exposed. The attacker only needs the ability to deliver ~2 GB of JSON string content to a jq invocation that concatenates it; on systems with sufficient memory the overflow is reachable and reproducible.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.