Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e.g., 32-bit builds). The overflow can cause insufficient buffer allocation, leading to out-of-bounds memory reads in SIMD routines and potentially resulting in information disclosure, memory corruption, or malformed JSON output. This vulnerability has been fixed in 4.6.4 release
AnalysisAI
Integer overflow in simdjson's string_builder::escape_and_append() function allows out-of-bounds memory reads in SIMD routines when processing very large input strings on 32-bit platforms, potentially resulting in information disclosure or memory corruption. The vulnerability affects all versions before 4.6.4 and has been patched by the vendor.
Technical ContextAI
simdjson is a high-performance JSON parsing library that uses SIMD (Single Instruction Multiple Data) operations to accelerate document parsing. The vulnerability exists in the document-builder API's string_builder::escape_and_append() function, which calculates buffer sizes for escaped string output. On 32-bit systems where size_t has limited width (typically 32 bits), processing very large input strings can cause integer overflow during buffer size calculation (CWE-190). This results in an undersized buffer allocation, which is then exceeded by SIMD write operations, triggering out-of-bounds memory access. The issue is particularly acute because the SIMD routines operate on multiple bytes per instruction, making bounds checking difficult and increasing the scope of potential memory corruption.
RemediationAI
Vendor-released patch: upgrade to simdjson version 4.6.4 or later. This patch release specifically addresses the integer overflow in the string builder class. For users unable to upgrade immediately, the most practical compensating control is to restrict the maximum size of JSON documents accepted by the parser - implement input size limits that prevent processing of extremely large input strings that would trigger the integer overflow condition on 32-bit systems. Additionally, prioritize upgrading 32-bit deployments first, as 64-bit systems have significantly lower practical risk due to the wider size_t type. Verify that your build is using the patched version by checking GitHub releases at https://github.com/simdjson/simdjson/releases/tag/v4.6.4.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30265
GHSA-fh2w-3fv3-7vw2