CVE-2026-32874

CVE-2026-32874 is a high-severity vulnerability in Ultrajson Project Ultrajson with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-401.

Key facts

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.

Frequently asked questions

What is CVE-2026-32874?
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.
How severe is CVE-2026-32874?
CVE-2026-32874 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
Is CVE-2026-32874 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (38th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-32874?
CVE-2026-32874 affects Ultrajson Project Ultrajson. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-32874?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-32874 have an EU (EUVD) identifier?
Yes. CVE-2026-32874 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13443.
When was CVE-2026-32874 published?
CVE-2026-32874 was published on 2026-03-20 and last updated on 2026-06-30.

References

Affected products (1)

More vulnerabilities in Ultrajson Project Ultrajson

All CVEs affecting Ultrajson Project Ultrajson →

Other CWE-401 (Missing Release of Memory after Effective Lifetime) vulnerabilities

Browse all CWE-401 (Missing Release of Memory after Effective Lifetime) vulnerabilities →