Integer Overflow Vulnerability in simdjson Document-Builder API
CVE-2026-8295

6.9MEDIUM

Key Information:

Vendor: Simdjson
Status: Simdjson
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-8295?

The simdjson library has a vulnerability related to integer overflow within its document-builder API, specifically in the 'string_builder::escape_and_append()' function. This issue arises when processing large input strings, particularly on 32-bit platforms where the size_t data type has limited width. The overflow can result in miscalculations of buffer sizes, leading to insufficient allocation. Consequently, this may trigger out-of-bounds memory reads within SIMD routines, presenting risks such as information disclosure, memory corruption, or the generation of malformed JSON outputs. Users are advised to upgrade to version 4.6.4 where this vulnerability has been addressed.

Affected Version(s)

simdjson 32 bit 0 < 4.6.4

References

https://github.com/simdjson/simdjson/releases/tag/v4.6.4

release-notes

https://cert.pl/posts/2026/05/CVE-2026-8295

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 11, 2026

Credit

Michał Majchrowicz (AFINE)

Marcin Wyczechowski (AFINE)

CVE-2026-8295 Data

JSON

Simdjson

What is CVE-2026-8295?

Affected Version(s)

References

CVSS V4

Timeline

Credit