PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8295 simdjson CVE debrief

A medium-severity integer overflow vulnerability in the simdjson library's document-builder API affects 32-bit builds where size_t width is limited. The flaw in string_builder::escape_and_append() causes incorrect buffer size calculations when processing very large input strings, leading to insufficient buffer allocation. This can trigger out-of-bounds memory reads in SIMD routines with potential consequences including information disclosure, memory corruption, or malformed JSON output. The vulnerability was disclosed on May 14, 2026 and last modified on May 19, 2026. CERT.PL coordinated disclosure and the simdjson project released version 4.6.4 containing the fix.

Vendor
simdjson
Product
Unknown
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-05-19
Advisory published
2026-05-14
Advisory updated
2026-05-19

Who should care

Organizations running simdjson on 32-bit architectures or embedded systems with constrained memory models; developers building simdjson from source with non-standard configurations; security teams monitoring JSON parsing components for memory safety issues.

Technical summary

The vulnerability exists in string_builder::escape_and_append() within the simdjson document-builder API. On platforms with limited size_t width (notably 32-bit builds), processing very large input strings causes an integer overflow during buffer size calculation. This results in allocation of a smaller-than-required buffer, subsequently causing out-of-bounds memory reads during SIMD-optimized string operations. The defect was remediated in simdjson release 4.6.4.

Defensive priority

medium

Recommended defensive actions

  • Upgrade simdjson to version 4.6.4 or later
  • Audit applications using simdjson on 32-bit platforms for large input handling
  • Review custom builds using non-standard size_t widths
  • Monitor for application crashes or malformed JSON output in production systems
  • Apply principle of least privilege to processes parsing untrusted JSON

Evidence notes

CVE published 2026-05-14; modified 2026-05-19. Fix confirmed in simdjson v4.6.4 release. CVSS 4.0 vector provided in NVD source. Weakness classified as CWE-190 (Integer Overflow or Wraparound).

Official resources

2026-05-14T11:16:18.770Z