CVE-2026-32875Integer Overflow or Wraparound in Project Ultrajson

CWE-190Integer Overflow or WraparoundCWE-787Out-of-bounds WriteCWE-835Infinite Loop8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 84.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Ultrajson Project UltrajsonUltrajsonDebian Ujson
Timeline
PublishedMar 20

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow wh

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

debiandebian/ujson
NVDultrajson_project/ultrajson5.1.05.12.0
CVEListV5ultrajson/ultrajson>= 5.1.0, < 5.12.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-32875: UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 32026-03-20
OSV
UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop2026-03-18
GHSA
UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop2026-03-18

📋Vendor Advisories

2
Red Hat
ultrajson: UltraJSON: Denial of Service via large indent parameter in JSON serialization2026-03-20
Debian
CVE-2026-32875: ujson - UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-32875 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-32875 ultrajson: UltraJSON: Denial of Service via large indent parameter in JSON serialization2026-03-20
CVE-2026-32875 — Integer Overflow or Wraparound | cvebase