CVE-2026-32316: jq: integer overflow in jv_string_concat triggers heap buffer overflow on large strings
CVE-2026-32316 is verified against jq · github affected versions: <= 1.8.1 fixed version: 1.8.2 vulnerability class: Buffer Overflow This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00170.
pruva-verify REPRO-2026-00170 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00170/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh jq's jv_string_concat (called by the + operator on strings and by add over an array of strings) computes the size of the destination buffer using a 32-bit int/uint32_t arithmetic. When the sum of the two input string lengths exceeds 2^31 bytes, the size computation wraps around, allocating a heap buffer much smaller than what's about to be written. The subsequent memcpy writes past the buffer, corrupting adjacent heap data — a classic CWE-190 → CWE-122 chain.
Any service that runs jq filters on attacker-controlled input (the common pattern in CI pipelines, log shippers, observability stacks, k8s admission webhooks, etc.) is exposed. The attacker only needs the ability to deliver ~2 GB of JSON string content to a jq invocation that concatenates it; on systems with sufficient memory the overflow is reachable and reproducible.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.