{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32874", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.420Z", "datePublished": "2026-03-20T01:31:30.207Z", "dateUpdated": "2026-03-20T01:31:30.207Z"}, "containers": {"cna": {"title": "UltraJSON has a Memory Leak parsing large integers allows DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"}, {"name": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"}, {"name": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"}], "affected": [{"vendor": "ultrajson", "product": "ultrajson", "versions": [{"version": ">= 5.4.0, < 5.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:31:30.207Z"}, "descriptions": [{"lang": "en", "value": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0."}], "source": {"advisory": "GHSA-wgvc-ghv9-3pmm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0."}], "id": "CVE-2026-32874", "lastModified": "2026-03-20T02:16:35.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.703", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"}, {"source": "security-advisories@github.com", "url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers", "id": "2449411", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449411"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in UltraJSON, a fast JSON encoder and decoder. A remote attacker can exploit this vulnerability by providing specially crafted JSON input that contains extremely large integers. When UltraJSON attempts to parse these inputs, it leads to an accumulating memory leak. This excessive memory consumption can ultimately result in a denial of service (DoS) for any service that processes untrusted JSON inputs using UltraJSON."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-32874", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "python-ujson", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "python-ujson", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "python-ujson", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-03-20T01:31:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32874\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32874\nhttps://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2\nhttps://github.com/ultrajson/ultrajson/releases/tag/5.12.0\nhttps://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"], "statement": "This IMPORTANT flaw in UltraJSON can lead to a denial of service in services that process untrusted JSON inputs. Specially crafted JSON containing excessively large integers can trigger a memory leak, consuming system resources. This affects Red Hat OpenStack Platform and Community Projects utilizing `python-ujson`.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.4.0,5.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ultrajson", "vendor": "ultrajson"}], "analysis": {"en": {"generated_at": "2026-03-20T03:31:06.029450+00:00", "value": {"mitigation_remediation": ["Upgrade ultrajson to version 5.12.0 or later.", "If an upgrade is not immediately possible, validate and constrain JSON input sizes before passing them to ujson.load/loads/decode.", "Review deployments to ensure no vulnerable ultrajson versions are in use.", "Monitor application memory usage for anomalous growth patterns as a potential indicator of exploitation."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects ultrajson:ultrajson library versions 5.4.0 to 5.11.0. Services using ujson.load(), ujson.loads(), or ujson.decode() on untrusted inputs are at risk until upgrading to version 5.12.0 or later.", "description_and_impact": "UltraJSON, a high-performance JSON library for Python, has a memory leak that occurs when parsing integers larger than the supported range of [-2^63, 2^64\u00a0-\u00a01]. Each oversized integer causes library to copy the string representation of the number and a terminating NULL byte into memory, but it never frees that buffer. The leak happens regardless of whether the integer is accepted or rejected, allowing an attacker to craft an input that grows the memory usage incrementally. The result is an increase in memory consumption that can exhaust system resources and trigger a denial of service.\n\nAffected systems: The vulnerability exists in ultrajson versions 5.4.0 through 5.11.0. Any program that calls ujson.load(), ujson.loads(), or ujson.decode() on untrusted data while using one of these versions is susceptible. The issue was fixed in version 5.12.0.\n\nRisk and exploitability: The CVSS base score is 7.5, indicating high severity. The EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the weakness by sending specially crafted JSON payloads containing very large integers to any service that relies on the affected ultrajson library. Because the leak occurs regardless of parsing success, there is no requirement for additional privileges or privileges escalation beyond the target service's execution context.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity risk. The absence of an EPSS score means that current exploit probability data is not available. The vulnerability is not in the KEV catalog. Attackers can exploit this defect by feeding a large integer value in a JSON payload; the memory leak will continuously grow until the system runs out of memory, leading to a denial of service. No additional privileges or network exposure are required beyond the application\u2019s normal operation on untrusted data."}}}}, "created": "2026-03-20T08:53:36.641091+00:00", "updated": "2026-03-20T10:43:30.107881+00:00", "vendors": ["ultrajson", "ultrajson$PRODUCT$ultrajson"]}