Skip to main content

simdjson CVE-2026-8295

| EUVDEUVD-2026-30265 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-14 CERT-PL GHSA-fh2w-3fv3-7vw2
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
May 14, 2026 - 13:15 vuln.today
Analysis Generated
May 14, 2026 - 13:15 vuln.today
Patch available
May 14, 2026 - 12:01 EUVD
CVSS changed
May 14, 2026 - 11:22 NVD
6.9 (MEDIUM)
CVE Published
May 14, 2026 - 10:27 nvd
UNKNOWN (no severity yet)
CVE Published
May 14, 2026 - 10:27 nvd
MEDIUM 6.9

DescriptionCVE.org

An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e.g., 32-bit builds). The overflow can cause insufficient buffer allocation, leading to out-of-bounds memory reads in SIMD routines and potentially resulting in information disclosure, memory corruption, or malformed JSON output. This vulnerability has been fixed in 4.6.4 release

AnalysisAI

Integer overflow in simdjson's string_builder::escape_and_append() function allows out-of-bounds memory reads in SIMD routines when processing very large input strings on 32-bit platforms, potentially resulting in information disclosure or memory corruption. The vulnerability affects all versions before 4.6.4 and has been patched by the vendor.

Technical ContextAI

simdjson is a high-performance JSON parsing library that uses SIMD (Single Instruction Multiple Data) operations to accelerate document parsing. The vulnerability exists in the document-builder API's string_builder::escape_and_append() function, which calculates buffer sizes for escaped string output. On 32-bit systems where size_t has limited width (typically 32 bits), processing very large input strings can cause integer overflow during buffer size calculation (CWE-190). This results in an undersized buffer allocation, which is then exceeded by SIMD write operations, triggering out-of-bounds memory access. The issue is particularly acute because the SIMD routines operate on multiple bytes per instruction, making bounds checking difficult and increasing the scope of potential memory corruption.

RemediationAI

Vendor-released patch: upgrade to simdjson version 4.6.4 or later. This patch release specifically addresses the integer overflow in the string builder class. For users unable to upgrade immediately, the most practical compensating control is to restrict the maximum size of JSON documents accepted by the parser - implement input size limits that prevent processing of extremely large input strings that would trigger the integer overflow condition on 32-bit systems. Additionally, prioritize upgrading 32-bit deployments first, as 64-bit systems have significantly lower practical risk due to the wider size_t type. Verify that your build is using the patched version by checking GitHub releases at https://github.com/simdjson/simdjson/releases/tag/v4.6.4.

Vendor StatusVendor

Share

CVE-2026-8295 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy