UBUNTU-CVE-2026-32316

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-32316
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-32316
Upstream
  • CVE-2026-32316
Published
2026-04-13T18:16:00Z
Modified
2026-04-22T16:30:53.419463Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvpstringappend() and jvpstringcopyreplacebad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.

References

Affected packages

Ubuntu:22.04:LTS
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.6-2.1ubuntu3.1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6-2.1ubuntu2
1.6-2.1ubuntu3
1.6-2.1ubuntu3.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.6-2.1ubuntu3.1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.6-2.1ubuntu3.1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"
Ubuntu:24.04:LTS
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.7.1-3ubuntu0.24.04.1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6-3
1.7-1
1.7.1-2
1.7.1-3
1.7.1-3build1
1.7.1-3ubuntu0.24.04.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.7.1-3ubuntu0.24.04.1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.7.1-3ubuntu0.24.04.1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"
Ubuntu:25.10
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.8.1-3ubuntu1?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.7.1-3ubuntu1
1.7.1-6ubuntu1
1.8.1-3ubuntu1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.8.1-3ubuntu1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.8.1-3ubuntu1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"
Ubuntu:Pro:14.04:LTS
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.3-1.1ubuntu1.1+esm3?arch=source&distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.2-8
1.3-1
1.3-1.1ubuntu1
1.3-1.1ubuntu1.1
1.3-1.1ubuntu1.1+esm3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.3-1.1ubuntu1.1+esm3",
            "binary_name": "jq"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"
Ubuntu:Pro:16.04:LTS
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.5+dfsg-1ubuntu0.1+esm3?arch=source&distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.4-2.1
1.5+dfsg-1
1.5+dfsg-1ubuntu0.1
1.5+dfsg-1ubuntu0.1+esm2
1.5+dfsg-1ubuntu0.1+esm3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.5+dfsg-1ubuntu0.1+esm3",
            "binary_name": "jq"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"
Ubuntu:Pro:18.04:LTS
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.5+dfsg-2ubuntu0.1~esm1?arch=source&distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5+dfsg-2
1.5+dfsg-2ubuntu0.1~esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.5+dfsg-2ubuntu0.1~esm1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"
Ubuntu:Pro:20.04:LTS
jq

Package

Name
jq
Purl
pkg:deb/ubuntu/jq@1.6-1ubuntu0.20.04.1+esm1?arch=source&distro=esm-infra/focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.5+dfsg-2build1
1.6-1
1.6-1ubuntu0.20.04.1
1.6-1ubuntu0.20.04.1+esm1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.6-1ubuntu0.20.04.1+esm1",
            "binary_name": "jq"
        },
        {
            "binary_version": "1.6-1ubuntu0.20.04.1+esm1",
            "binary_name": "libjq1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-32316.json"