CVE-2026-32874Missing Release of Memory after Effective Lifetime in Project Ultrajson

CWE-401Missing Release of Memory after Effective LifetimeCWE-772Missing Release of Resource after Effective Lifetime8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 77.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ultrajson Project UltrajsonUltrajsonDebian Ujson
Timeline
PublishedMar 20

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

debiandebian/ujson
NVDultrajson_project/ultrajson5.4.05.12.0
CVEListV5ultrajson/ultrajson>= 5.4.0, < 5.12.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-32874: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 32026-03-20
GHSA
UltraJSON has a Memory Leak parsing large integers allows DoS2026-03-18
OSV
UltraJSON has a Memory Leak parsing large integers allows DoS2026-03-18

📋Vendor Advisories

2
Red Hat
UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers2026-03-20
Debian
CVE-2026-32874: ujson - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-32874 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-32874 UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers2026-03-20
CVE-2026-32874 — Project Ultrajson vulnerability | cvebase