A recently disclosed vulnerability CVE-2026-8295 affects the simdjson C++ library in all versions before 4.6.4.
An integer overflow in string_builder::escape_and_append() can cause incorrect buffer size calculations when processing very large input strings on 32-bit builds (limited size_t width). This can lead to insufficient buffer allocation, out-of-bounds memory reads in SIMD routines, and potentially information disclosure or memory corruption.
The latest release on PECL bundles a version of simdjson older than 4.6.4. Users of this extension are not yet covered by the fix.
Are there plans to release a new version of simdjson_php that vendors simdjson ≥ 4.6.4 to address this CVE?
Happy to help test if useful. Thanks!
A recently disclosed vulnerability CVE-2026-8295 affects the simdjson C++ library in all versions before 4.6.4.
The latest release on PECL bundles a version of simdjson older than 4.6.4. Users of this extension are not yet covered by the fix.
Are there plans to release a new version of
simdjson_phpthat vendors simdjson ≥ 4.6.4 to address this CVE?Happy to help test if useful. Thanks!