CVE-2026-32874
Memory Leak in UltraJSON JSON Parsing Causes DoS Vulnerability
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultrajson_project | ultrajson | From 5.4.0 (inc) to 5.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32874 is a vulnerability in the ultrajson (ujson) Python package versions 5.4.0 through 5.11.0. It involves an accumulating memory leak that occurs when parsing large integers outside the range [-2^63, 2^64 - 1]. The leak happens because the code copies the string form of the integer plus an additional NULL byte but fails to free this memory after use. This happens regardless of whether the integer is successfully parsed or rejected due to exceeding digit limits. As a result, an attacker can craft malicious JSON payloads with very large integers to cause the program to consume increasing amounts of memory.'}, {'type': 'paragraph', 'content': "This vulnerability affects any service that uses ujson's load or decode functions on untrusted input, potentially leading to denial of service (DoS) attacks by exhausting system memory."}] [2, 3]
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition. Because the memory leak accumulates with each large integer parsed, an attacker can send specially crafted JSON payloads containing large integers to exhaust the memory of the affected system.
This can cause the affected application or service to crash or become unresponsive, disrupting normal operations and potentially causing downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when the ultrajson (ujson) library versions 5.4.0 through 5.11.0 parse large integers outside the range [-2^63, 2^64 - 1], causing an accumulating memory leak. Detection involves monitoring for unusual memory usage patterns in services that use ujson to parse JSON from untrusted sources.
Specifically, you can test if your system is vulnerable by running Python commands that parse large integers with ujson and observing memory behavior. For example:
- Run `ujson.loads(str(2**64 - 1))` which should not leak memory.
- Run `ujson.loads(str(2**64))` which triggers the memory leak.
- Run `ujson.loads(str(10**sys.get_int_max_str_digits()))` which causes a leak and raises a ValueError.
Monitoring memory usage of processes using ujson during such tests or in production when parsing large JSON integers can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The only effective mitigation for this vulnerability is to upgrade the ultrajson (ujson) library to version 5.12.0 or later, where the memory leak issue has been fixed.
No other workarounds exist, so updating the library in all affected environments is critical to prevent denial of service attacks caused by memory exhaustion.