diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x
index b60d60bb62..51bf025bbe 100644
--- a/release-notes/CREDITS-2.x
+++ b/release-notes/CREDITS-2.x
@@ -433,4 +433,8 @@ Antonin Janec (@xtonic)
  * Contributed #1217: Optimize char comparison using bitwise OR
   (2.17.0)
  * Contributed #1218: Simplify Unicode surrogate pair conversion for generation
- (2.17.0)
+  (2.17.0)
+
+Jared Stehler (@jaredstehler)
+ * Reported, contributed fix for #1274: `NUL`-corrupted keys, values on JSON serialization
+  (2.18.0)
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 6265ffee3c..a68563a96e 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -30,6 +30,8 @@ a pure JSON library.
   to prevent use by downstream consumers
  (requested by @seadbrane)
 #1271: Deprecate `LockFreePool` implementation in 2.18 (remove from 3.0)
+#1274: `NUL`-corrupted keys, values on JSON serialization
+ (reported, fix contributed by Jared S)
 #1277: Add back Java 22 optimisation in FastDoubleParser
 
 2.17.1 (04-May-2024)
diff --git a/src/main/java/com/fasterxml/jackson/core/io/SerializedString.java b/src/main/java/com/fasterxml/jackson/core/io/SerializedString.java
index 0c4da276bb..ff0db775cc 100644
--- a/src/main/java/com/fasterxml/jackson/core/io/SerializedString.java
+++ b/src/main/java/com/fasterxml/jackson/core/io/SerializedString.java
@@ -37,17 +37,17 @@ public class SerializedString
      *   search framework; and they believed this is an important optimization for
      *   heaviest, multi-core deployed use cases.
      */
-    /*
-     * 22-Sep-2013, tatu: FWIW, there have been no reports of problems in this
-     *   area, or anything pointing to it. So I think we are safe up to JDK7
-     *   and hopefully beyond.
-     */
+    // 22-Sep-2013, tatu: FWIW, there have been no reports of problems in this
+    //   area, or anything pointing to it. So I think we are safe up to JDK7
+    //   and hopefully beyond.
+    // 09-Jun-2024, tatu: Until we are not. As per [core#1274] there are reasons to
+    //   believe `volatile` is actually needed, so will be added in 2.18.0
 
-    protected /*volatile*/ byte[] _quotedUTF8Ref;
+    protected volatile byte[] _quotedUTF8Ref;
 
-    protected /*volatile*/ byte[] _unquotedUTF8Ref;
+    protected volatile byte[] _unquotedUTF8Ref;
 
-    protected /*volatile*/ char[] _quotedChars;
+    protected volatile char[] _quotedChars;
 
     public SerializedString(String v) {
         _value = Objects.requireNonNull(v, "Null String illegal for SerializedString");