CVE-2026-32875
Received Received - Intake
Buffer Overflow and Infinite Loop in UltraJSON Indent Handling

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32875
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultrajson_project ultrajson From 5.1.0 (inc) to 5.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32875 is a vulnerability in the UltraJSON (ujson) library versions 5.10 through 5.11.0, specifically in the handling of the indent parameter during JSON encoding with functions like ujson.dumps().

The issue arises when the product of the indent value and the nested depth of the input data exceeds the maximum 32-bit signed integer value (INT32_MAX), causing an integer overflow during memory allocation for indentation. This leads to a buffer overflow and crashes the Python interpreter with a segmentation fault.

Additionally, if a large negative indent value is used, an integer underflow occurs, causing the buffer resizing logic to enter an infinite loop during serialization.

The vulnerability can be triggered if untrusted users control the indent parameter without restrictions, allowing denial of service via crashes or hangs.

Impact Analysis

This vulnerability can lead to denial of service (DoS) attacks against applications using vulnerable versions of UltraJSON.

An attacker who can control the indent parameter can cause the Python interpreter to crash due to a segmentation fault or cause the application to hang indefinitely due to an infinite loop.

Such crashes or hangs can disrupt service availability, potentially affecting reliability and user experience.

Exploitation requires no privileges or user interaction and can be triggered remotely if the service exposes JSON encoding functionality with unsafe indent parameter handling.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if the ujson.dumps() function crashes or hangs when called with large or negative indent values. Specifically, calling ujson.dumps() with a very large indent parameter (e.g., indent=2000000000) may cause a segmentation fault (crash), and using large negative indent values may cause an infinite loop.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can run Python commands that invoke ujson.dumps() with suspicious indent values and observe if the interpreter crashes or hangs.'}, {'type': 'list_item', 'content': 'Example command to test for crash (segmentation fault):\n\n```python\nimport ujson\ntry:\n ujson.dumps({"key": "value"}, indent=2000000000)\nexcept Exception as e:\n print(f"Exception caught: {e}")\n```\nIf this causes a crash or segmentation fault, the system is vulnerable.'}, {'type': 'list_item', 'content': 'Example command to test for infinite loop:\n\n```python\nimport ujson\n# Use a nested JSON object\nnested_json = {"a": {"b": {"c": "d"}}}\n# Use a large negative indent\nujson.dumps(nested_json, indent=-1000000)\n```\nIf this hangs indefinitely, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Detection requires that the service or system uses ujson.dumps() or related functions with user-controllable indent parameters without restrictions.'}] [1, 3]

Mitigation Strategies

Immediate mitigation steps include upgrading the ultrajson (ujson) library to version 5.12.0 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, restrict or sanitize the indent parameter passed to ujson.dumps(), ujson.dump(), or ujson.encode() to ensure it is a reasonably small non-negative integer, ideally capped at 1000 or less.

  • Disallow or reject large positive indent values that could cause integer overflow.
  • Disallow negative indent values or restrict them to -1 to avoid infinite loops caused by underflow.

Alternatively, avoid using indentation in JSON serialization when user input controls the indent parameter, or use fixed indentation values that are safe.

These mitigations help prevent denial of service attacks caused by crashes or infinite loops triggered by malicious indent values.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart