Full Report
Integer Overflow vulnerability (CVE-2026-8295) has been found in simdjson library.
Analysis Summary
# Vulnerability: Integer Overflow in simdjson Document-Builder API
## CVE Details
- **CVE ID**: CVE-2026-8295
- **CVSS Score**: Not specifically listed in the article (typically High for memory corruption/OOB access)
- **CWE**: CWE-190 (Integer Overflow or Wraparound)
## Affected Systems
- **Products**: simdjson library
- **Versions**: All versions prior to 4.6.4
- **Configurations**: Specifically systems with limited `size_t` width, such as **32-bit builds/platforms**.
## Vulnerability Description
A flaw exists within the document-builder API of the simdjson library. Specifically, the function `string_builder::escape_and_append()` fails to properly handle integer calculations when processing exceptionally large input strings. On 32-bit platforms, an integer overflow occurs during buffer size calculations. This leads to an insufficient memory allocation. Consequently, subsequent SIMD (Single Instruction, Multiple Data) routines perform out-of-bounds memory reads while processing the inaccurately sized buffer.
## Exploitation
- **Status**: Reported via responsible disclosure (No mention of active exploitation in the wild).
- **Complexity**: Medium (Requires processing specific large string inputs on 32-bit architectures).
- **Attack Vector**: Network/Local (Depending on how the application utilizes simdjson to parse untrusted input).
## Impact
- **Confidentiality**: High (Memory disclosure is possible due to out-of-bounds reads).
- **Integrity**: Medium (Risk of malformed JSON output or memory corruption).
- **Availability**: Medium/High (Memory corruption may lead to application crashes or instability).
## Remediation
### Patches
- **Update to simdjson version 4.6.4** or later. This version contains the fix for the buffer size calculation logic.
### Workarounds
- **Architecture Migration**: Utilize 64-bit builds where the `size_t` width prevents the specific integer overflow described.
- **Input Validation**: Implement strict length limits on input strings processed by the `document-builder` API to ensure they do not reach the threshold for overflow on 32-bit systems.
## Detection
- **Indicators of Compromise**: Unexpected application crashes (SIGSEGV) in 32-bit environments when processing large JSON payloads.
- **Detection Methods**:
- **Static Analysis**: Audit C++ code for usage of `string_builder::escape_and_append()` in 32-bit projects.
- **Fuzzing**: Stress-test the document-builder API with large, specially crafted strings in a 32-bit test environment to trigger potential OOB reads.
## References
- **Vendor Advisory**: hxxps[://]github[.]com/simdjson/simdjson
- **CVE Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-8295
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/posts/2026/05/vulnerability-in-simdjson-library/