CVE-2026-32875
CVE-2026-32875 is a high-severity vulnerability in Ultrajson Project Ultrajson with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-190.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 0% (37th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-13444
- Weakness: CWE-190
- Affected product: Ultrajson Project Ultrajson
- Published:
- Last modified:
Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
Frequently asked questions
- What is CVE-2026-32875?
- UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
- How severe is CVE-2026-32875?
- CVE-2026-32875 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-32875 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (37th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-32875?
- CVE-2026-32875 affects Ultrajson Project Ultrajson. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-32875?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-32875 have an EU (EUVD) identifier?
- Yes. CVE-2026-32875 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13444.
- When was CVE-2026-32875 published?
- CVE-2026-32875 was published on 2026-03-20 and last updated on 2026-06-30.
References
- https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea
- https://github.com/ultrajson/ultrajson/issues/700
- https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv
- https://access.redhat.com/security/cve/CVE-2026-32875
- https://bugzilla.redhat.com/show_bug.cgi?id=2449400
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-32875.json
Affected products (1)
- cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*
More vulnerabilities in Ultrajson Project Ultrajson
- CVE-2026-44660 — High (CVSS 7.5): UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when…
- CVE-2026-32874 — High (CVSS 7.5): UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through…
- CVE-2022-31116 — High (CVSS 7.5): UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Affected versions were…
- CVE-2026-54911 — Medium (CVSS 6.5): UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0,…
- CVE-2022-31117 — Medium (CVSS 5.9): UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. In versions prior to…
- CVE-2021-45958 — Medium (CVSS 5.5): UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in Buffer_AppendIndentUnchecked (called from…
All CVEs affecting Ultrajson Project Ultrajson →
Other CWE-190 (Integer Overflow or Wraparound) vulnerabilities
- CVE-2026-4689 — Critical (CVSS 10.0): Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was…
- CVE-2026-24814 — Critical (CVSS 10.0): Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is…
- CVE-2025-64721 — Critical (CVSS 10.0): Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions…
- CVE-2015-5108 — Critical (CVSS 10.0): Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC…
- CVE-2015-5097 — Critical (CVSS 10.0): Integer overflow in Adobe Reader and Acrobat 10.x before 10.1.15 and 11.x before 11.0.12, Acrobat and Acrobat Reader DC…
- CVE-2013-2555 — Critical (CVSS 10.0): Integer overflow in Adobe Flash Player before 10.3.183.75 and 11.x before 11.7.700.169 on Windows and Mac OS X, before…
Browse all CWE-190 (Integer Overflow or Wraparound) vulnerabilities →