Threat Advisory

UltraJSON Vulnerabilities Originate Buffer Overflow and Memory Leak

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High


EXECUTIVE SUMMARY:

A set of vulnerabilities in the UltraJSON (ujson) Python library impacts multiple releases. The first weakness involves an integer overflow during indentation operations in ujson.dumps(), which can lead to a buffer overflow, segmentation fault, or infinite loop under certain conditions, potentially causing a crash or denial of service in applications using it. The second weakness describes a logic flaw where parsing very large integer values leads to an unbounded memory leak, enabling denial of service (DoS) attacks on services that load untrusted JSON input. Both weaknesses were discovered and fixed in ujson and are rated with indicating significant impact on availability for affected projects.

  • CVE‑2026‑32875: It is an Integer overflow in the librarys handling of large indentation values in ujson.dumps() can cause out‑of‑bounds writes or infinite loops, crashing the Python interpreter or causing unpredictable behavior. The vulnerability has a CVSS score of 7.5.
  • CVE‑2026‑32874: It is a Parsing very large integer values in JSON triggers a memory leak in ujson, which can be exploited to exhaust memory and cause denial of service in applications that decode untrusted input. The vulnerability has a CVSS score of 7.5.

 

RECOMMENDATION:

  • We strongly recommend you update UltraJSON to version 5.12.0 or later.

 

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-c8rr-9gxc-jprv
https://github.com/advisories/GHSA-wgvc-ghv9-3pmm

crossmenu