Description
An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e.g., 32-bit builds). The overflow can cause insufficient buffer allocation, leading to out-of-bounds memory reads in SIMD routines and potentially resulting in information disclosure, memory corruption, or malformed JSON output.
This vulnerability has been fixed in 4.6.4 release
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow occurs in simdjson's document-builder API within the escape_and_append function, causing the calculated buffer size for very large input strings to wrap around on systems with 32‑bit size_t. This underallocation can lead to out‑of‑bounds reads inside SIMD routines, potentially exposing sensitive data, corrupting memory, or generating malformed JSON output. The flaw is exploitable when an attacker supplies an extremely large JSON string that the application parses.

Affected Systems

The vulnerability affects all releases of the simdjson library version 4.6.3 and earlier when installed on 32‑bit platforms or built with a 32‑bit size_t type. The fix was introduced in release 4.6.4. Systems using older versions of simdjson, especially those that process externally supplied JSON, are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity, and the vulnerability is not listed in CISA's KEV catalog. EPSS data is unavailable, so exploitation likelihood cannot be quantified from the current dataset. The likely attack vector is an application that builds JSON documents from untrusted input on a 32‑bit environment. An attacker who can supply such input could trigger out‑of‑bounds reads, leading to information disclosure or memory corruption, depending on the target process's privileges.

Generated by OpenCVE AI on May 14, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade simdjson to version 4.6.4 or later
  • Rebuild the application on a 64‑bit platform or with a 64‑bit size_t to avoid the overflow
  • If an upgrade is not possible, implement input size validation to reject JSON strings that exceed safe limits before passing them to the document-builder API

Generated by OpenCVE AI on May 14, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Simdjson Project
Simdjson Project simdjson
Vendors & Products Simdjson Project
Simdjson Project simdjson

Thu, 14 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e.g., 32-bit builds). The overflow can cause insufficient buffer allocation, leading to out-of-bounds memory reads in SIMD routines and potentially resulting in information disclosure, memory corruption, or malformed JSON output. This vulnerability has been fixed in 4.6.4 release
Title Integer overflow in simdjson
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Simdjson Project Simdjson
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-14T17:48:38.036Z

Reserved: 2026-05-11T09:30:25.123Z

Link: CVE-2026-8295

cve-icon Vulnrichment

Updated: 2026-05-14T17:48:32.073Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T11:16:18.770

Modified: 2026-05-19T15:17:37.183

Link: CVE-2026-8295

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-14T10:27:41Z

Links: CVE-2026-8295 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T13:45:18Z

Weaknesses