diff --git a/include/flatbuffers/verifier.h b/include/flatbuffers/verifier.h
index a0b793597c..8ca5013f8c 100644
--- a/include/flatbuffers/verifier.h
+++ b/include/flatbuffers/verifier.h
@@ -254,11 +254,12 @@ class VerifierTemplate FLATBUFFERS_FINAL_CLASS {
 
   template <typename T, typename SizeT = uoffset_t>
   bool VerifySizePrefixedBuffer(const char* const identifier) {
-    return Verify<SizeT>(0U) &&
-           // Ensure the prefixed size is within the bounds of the provided
-           // length.
-           Check(ReadScalar<SizeT>(buf_) + sizeof(SizeT) <= size_) &&
-           VerifyBufferFromStart<T>(identifier, sizeof(SizeT));
+    if (!Verify<SizeT>(0U)) return false;
+    // Ensure the prefixed size is within the bounds of the provided length.
+    const auto prefixed_size = static_cast<uint64_t>(ReadScalar<SizeT>(buf_));
+    const auto max_payload_size = static_cast<uint64_t>(size_ - sizeof(SizeT));
+    if (!Check(prefixed_size <= max_payload_size)) return false;
+    return VerifyBufferFromStart<T>(identifier, sizeof(SizeT));
   }
 
   template <typename OffsetT = uoffset_t, typename SOffsetT = soffset_t>
diff --git a/tests/64bit/offset64_test.cpp b/tests/64bit/offset64_test.cpp
index d185e38994..dee0b9f200 100644
--- a/tests/64bit/offset64_test.cpp
+++ b/tests/64bit/offset64_test.cpp
@@ -374,6 +374,17 @@ void Offset64SizePrefix() {
 
   // Verify the fields.
   TEST_EQ_STR(root_table->near_string()->c_str(), "some near string");
+
+  std::vector<uint8_t> tampered(builder.GetBufferPointer(),
+                                builder.GetBufferPointer() + builder.GetSize());
+  WriteScalar<uoffset64_t>(tampered.data(),
+                           (std::numeric_limits<uoffset64_t>::max)());
+
+  Verifier::Options tampered_options = options;
+  tampered_options.assert = false;
+  Verifier tampered_verifier(tampered.data(), tampered.size(),
+                             tampered_options);
+  TEST_EQ(VerifySizePrefixedRootTableBuffer(tampered_verifier), false);
 }
 
 void Offset64ManyVectors() {