Intel

AIKIDO-2026-237202

simd-json is vulnerable to Undefined Behavior

Undefined Behavior Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

20

Low Risk

This Affects:

RUSTsimd-json
0.3.21 - 0.17.1
Fixed in 0.17.2
Are you affected? Scan for Free

TL;DR

simd-json parses JSON structure with unsafe native and NEON SIMD stage-1 code. The NEON stage-1 path stores structural indexes with an alignment-assuming write into an under-aligned buffer, causing undefined behavior that can corrupt memory, and on runtime-detection builds without the portable feature the native fallback skips UTF-8 validation and treats invalid UTF-8 as a valid string. A zero-length buffer allocation also invokes undefined behavior. The fix switches to unaligned writes, adds a native UTF-8 pre-validation step before structural-bit detection, and avoids the zero-size allocation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

simd-json is vulnerable to Undefined Behavior in versions 0.3.21 - 0.17.1.

How to fix this

Upgrade the simd-json library to the patch version.