{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32874", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.420Z", "datePublished": "2026-03-20T01:31:30.207Z", "dateUpdated": "2026-03-20T16:38:13.493Z"}, "containers": {"cna": {"title": "UltraJSON has a Memory Leak parsing large integers allows DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"}, {"name": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2", "tags": ["x_refsource_MISC"], "url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"}, {"name": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"}], "affected": [{"vendor": "ultrajson", "product": "ultrajson", "versions": [{"version": ">= 5.4.0, < 5.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:31:30.207Z"}, "descriptions": [{"lang": "en", "value": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0."}], "source": {"advisory": "GHSA-wgvc-ghv9-3pmm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:36:00.746519Z", "id": "CVE-2026-32874", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:38:13.493Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T16:36:00.746519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:36:21.330Z"}}], "cna": {"title": "UltraJSON has a Memory Leak parsing large integers allows DoS", "source": {"advisory": "GHSA-wgvc-ghv9-3pmm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "ultrajson", "product": "ultrajson", "versions": [{"status": "affected", "version": ">= 5.4.0, < 5.12.0"}]}], "references": [{"url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm", "name": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2", "name": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0", "name": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T01:31:30.207Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32874", "state": "PUBLISHED", "dateUpdated": "2026-03-20T16:38:13.493Z", "dateReserved": "2026-03-16T21:03:44.420Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T01:31:30.207Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*", "matchCriteriaId": "75B74FD4-75EC-4754-83BA-217BAE9E6076", "versionEndExcluding": "5.12.0", "versionStartIncluding": "5.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0."}], "id": "CVE-2026-32874", "lastModified": "2026-03-23T15:27:14.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T02:16:35.703", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers", "id": "2449411", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449411"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-772", "details": ["A flaw was found in UltraJSON, a fast JSON encoder and decoder. A remote attacker can exploit this vulnerability by providing specially crafted JSON input that contains extremely large integers. When UltraJSON attempts to parse these inputs, it leads to an accumulating memory leak. This excessive memory consumption can ultimately result in a denial of service (DoS) for any service that processes untrusted JSON inputs using UltraJSON."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-32874", "package_state": [{"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Affected", "package_name": "python-ujson", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Affected", "package_name": "python-ujson", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Affected", "package_name": "python-ujson", "product_name": "Red Hat OpenStack Platform 18.0"}], "public_date": "2026-03-20T01:31:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32874\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32874\nhttps://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2\nhttps://github.com/ultrajson/ultrajson/releases/tag/5.12.0\nhttps://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm"], "statement": "This IMPORTANT flaw in UltraJSON can lead to a denial of service in services that process untrusted JSON inputs. Specially crafted JSON containing excessively large integers can trigger a memory leak, consuming system resources. This affects Red Hat OpenStack Platform and Community Projects utilizing `python-ujson`.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.4.0,5.12.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ultrajson", "vendor": "ultrajson"}], "analysis": {"en": {"generated_at": "2026-03-23T16:54:17.986335+00:00", "value": {"mitigation_remediation": ["Upgrade ultrajson to version 5.12.0 or later", "Implement input validation to reject integers outside the allowed range before passing them to the JSON decoder", "Enforce size limits on JSON payloads to prevent the creation of excessively large inputs", "Apply rate limiting or throttling to control the number of requests processed by the vulnerable application", "Monitor memory usage and set alerts for abnormal growth to detect ongoing attacks"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service via uncontrolled memory growth"}, "threat_synthesis": {"affected_systems": "Any Python application that imports the ultrajson package and uses ujson.load, ujson.loads, or ujson.decode to process JSON data from an untrusted source is impacted. The affected releases are 5.4.0 to 5.11.0; earlier releases and version 5.12.0 or later are not affected.", "description_and_impact": "The vulnerability resides in UltraJSON versions 5.4.0 through 5.11.0 and is triggered when the decoder encounters integers larger than the permitted range of [-2^63, 2^64-1]. Each such integer adds a copy of its string representation plus a trailing null byte to the process\u2019s memory, regardless of whether the integer is successfully parsed or is rejected because it exceeds sys.get_int_max_str_digits(). The effect is an accumulating memory leak that can grow without bound if the JSON payload contains arbitrarily large integers and has no enforced size limit. The result is that the application can run out of memory, become unresponsive, or crash, leading to a denial of service.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and the EPSS score of less than 1\u202f% suggests that known exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation to date. However, the lack of authentication or privilege requirements means that an attacker can trigger the exploit simply by sending a crafted JSON payload with large integers to any vulnerable service. The main attack vector is the delivery of such a payload over an exposed interface, and once triggered the attacker can cause service disruption through memory exhaustion."}}}}, "created": "2026-03-20T08:53:36.641091+00:00", "updated": "2026-03-25T14:10:07.995262+00:00", "vendors": ["ultrajson", "ultrajson$PRODUCT$ultrajson"]}