CVE-2026-32874
Received Received - Intake
Memory Leak in UltraJSON JSON Parsing Causes DoS Vulnerability

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32874
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultrajson_project ultrajson From 5.4.0 (inc) to 5.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32874 is a vulnerability in the ultrajson (ujson) Python package versions 5.4.0 through 5.11.0. It involves an accumulating memory leak that occurs when parsing large integers outside the range [-2^63, 2^64 - 1]. The leak happens because the code copies the string form of the integer plus an additional NULL byte but fails to free this memory after use. This happens regardless of whether the integer is successfully parsed or rejected due to exceeding digit limits. As a result, an attacker can craft malicious JSON payloads with very large integers to cause the program to consume increasing amounts of memory.'}, {'type': 'paragraph', 'content': "This vulnerability affects any service that uses ujson's load or decode functions on untrusted input, potentially leading to denial of service (DoS) attacks by exhausting system memory."}] [2, 3]

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. Because the memory leak accumulates with each large integer parsed, an attacker can send specially crafted JSON payloads containing large integers to exhaust the memory of the affected system.

This can cause the affected application or service to crash or become unresponsive, disrupting normal operations and potentially causing downtime.

Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs when the ultrajson (ujson) library versions 5.4.0 through 5.11.0 parse large integers outside the range [-2^63, 2^64 - 1], causing an accumulating memory leak. Detection involves monitoring for unusual memory usage patterns in services that use ujson to parse JSON from untrusted sources.

Specifically, you can test if your system is vulnerable by running Python commands that parse large integers with ujson and observing memory behavior. For example:

  • Run `ujson.loads(str(2**64 - 1))` which should not leak memory.
  • Run `ujson.loads(str(2**64))` which triggers the memory leak.
  • Run `ujson.loads(str(10**sys.get_int_max_str_digits()))` which causes a leak and raises a ValueError.

Monitoring memory usage of processes using ujson during such tests or in production when parsing large JSON integers can help detect the vulnerability.

Mitigation Strategies

The only effective mitigation for this vulnerability is to upgrade the ultrajson (ujson) library to version 5.12.0 or later, where the memory leak issue has been fixed.

No other workarounds exist, so updating the library in all affected environments is critical to prevent denial of service attacks caused by memory exhaustion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart