CVE-2026-8295 Overview
CVE-2026-8295 is an integer overflow vulnerability in the simdjson document-builder API. The flaw resides in the string_builder::escape_and_append() function, which performs incorrect buffer size calculations when processing very large input strings. The issue affects platforms with limited size_t width, such as 32-bit builds. The overflow leads to insufficient buffer allocation, which in turn triggers out-of-bounds memory reads in SIMD routines. Consequences include information disclosure, memory corruption, or malformed JSON output. The vulnerability has been fixed in the simdjson 4.6.4 release. It is tracked under CWE-190: Integer Overflow or Wraparound.
Critical Impact
A remote attacker supplying a sufficiently large JSON string to a 32-bit application using simdjson can trigger out-of-bounds reads, potentially disclosing memory contents or corrupting application state.
Affected Products
- simdjson library versions prior to 4.6.4
- Applications built against simdjson on 32-bit platforms with narrow size_t width
- JSON parsing pipelines invoking the document-builder API and string_builder::escape_and_append()
Discovery Timeline
- 2026-05-14 - CVE-2026-8295 published to NVD
- 2026-05-14 - Last updated in NVD database
- simdjson 4.6.4 - Upstream fix released by the simdjson maintainers
Technical Details for CVE-2026-8295
Vulnerability Analysis
The vulnerability stems from an arithmetic miscalculation inside string_builder::escape_and_append(). The function computes the required buffer size for an escaped JSON string by multiplying or adding values derived from the input length. On 32-bit builds, size_t is 32 bits wide, so these calculations can wrap around when the input string is large enough.
The wrap produces a smaller-than-required allocation. Subsequent SIMD-accelerated copy or escape routines write and read past the end of the undersized buffer. The out-of-bounds reads can leak adjacent heap memory back into the produced JSON, while writes can corrupt allocator metadata or neighboring objects.
Because simdjson is widely embedded in web servers, data pipelines, and message brokers, any 32-bit deployment that ingests attacker-controlled JSON is exposed. 64-bit builds are not directly affected because the size_t arithmetic does not overflow in practice for realistic inputs.
Root Cause
The root cause is unchecked integer arithmetic on length values used to size a destination buffer. The code did not validate that the computed size fit within size_t before invoking the allocator. This is a textbook CWE-190 defect amplified by SIMD routines that assume the allocation is correctly sized.
Attack Vector
An attacker delivers a crafted JSON payload containing a very large string to an application using simdjson on a 32-bit build. Parsing through the document-builder API invokes escape_and_append(), which under-allocates and then reads out of bounds during SIMD escaping. The attack vector is network-reachable wherever the parser consumes untrusted input.
No verified public exploit code is available. Refer to the CERT Poland CVE Analysis and the GitHub Release Notes v4.6.4 for technical specifics.
Detection Methods for CVE-2026-8295
Indicators of Compromise
- Application crashes or segmentation faults in processes that parse JSON using simdjson on 32-bit hosts
- Malformed JSON responses emitted by services that previously produced well-formed output
- Unexplained fragments of heap memory appearing within JSON fields returned to clients
- Inbound HTTP or API requests containing JSON strings several hundred megabytes or larger
Detection Strategies
- Inventory all binaries linked against simdjson and identify those compiled for 32-bit architectures
- Inspect dependency manifests for simdjson versions earlier than 4.6.4
- Deploy runtime memory-safety tooling such as AddressSanitizer in test environments to surface out-of-bounds reads in escape_and_append()
- Add web application firewall rules that flag JSON payloads exceeding a defined string-length threshold
Monitoring Recommendations
- Alert on abnormal process termination signals (SIGSEGV, SIGABRT) on services handling external JSON
- Log and review HTTP request body sizes for endpoints that accept JSON
- Correlate parser error rates with input size distributions to detect probing attempts
How to Mitigate CVE-2026-8295
Immediate Actions Required
- Upgrade simdjson to version 4.6.4 or later across all build pipelines and dependent applications
- Rebuild and redeploy all binaries that statically link simdjson after upgrading
- Audit 32-bit deployments and prioritize them for patching or migration to 64-bit builds
- Restrict the maximum accepted JSON payload size at the application or proxy layer
Patch Information
The simdjson maintainers fixed the integer overflow in the 4.6.4 release. The corrected code validates length calculations before allocation in string_builder::escape_and_append(). Patch details and release artifacts are available at the GitHub Release Notes v4.6.4. Additional analysis is published in the CERT Poland CVE Analysis.
Workarounds
- Reject JSON inputs above a conservative size limit (for example, 16 MB) at the network edge
- Rebuild affected services as 64-bit binaries where feasible, eliminating the narrow size_t overflow path
- Route untrusted JSON through a hardened pre-parser that enforces string-length bounds before invoking simdjson
# Configuration example: enforce JSON body size limit in nginx
http {
client_max_body_size 16m;
server {
location /api/ {
client_body_buffer_size 16m;
proxy_pass http://backend;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
