PatchSiren cyber security CVE debrief
CVE-2026-32875 ultrajson CVE debrief
CVE-2026-32875 is a high-severity vulnerability in UltraJSON, a fast JSON encoder and decoder for Python. The vulnerability affects versions 5.10 through 5.11.0 and can lead to a buffer overflow or infinite loop through large indent handling. The issue arises when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX, causing the Python interpreter to crash or get stuck in an infinite loop. This vulnerability can be exploited to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() while giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. The issue has been fixed in version 5.12.0.
- Vendor
- ultrajson
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using UltraJSON versions 5.10 through 5.11.0 should be aware of this vulnerability and take necessary precautions to prevent exploitation. Services that use UltraJSON and allow untrusted users to control the indent parameter are particularly vulnerable. Additionally, services using a fixed negative indent may also be vulnerable to the infinite loop. Users of UltraJSON should prioritize upgrading to version 5.12.0 or later to mitigate this vulnerability.
Technical summary
The vulnerability in UltraJSON arises from an integer overflow/underflow when calculating memory for indentation. When the product of the indent parameter and the nested depth of the input exceeds INT32_MAX, it can lead to a buffer overflow or infinite loop. The ujson.dumps() function crashes the Python interpreter (segmentation fault) in such cases. For negative indents, an underflow occurs, which can lead to an infinite loop if the input data is at least one level nested. The CVSS score for this vulnerability is 7.5, indicating a high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
This vulnerability has a high defensive priority due to its potential for denial-of-service attacks. Affected services should prioritize patching to version 5.12.0 or later.
Recommended defensive actions
- Upgrade UltraJSON to version 5.12.0 or later.
- Restrict the indent parameter to reasonably small non-negative values.
- Avoid using fixed negative indents.
- Monitor services that use UltraJSON for potential exploitation attempts.
- Implement additional security measures to prevent denial-of-service attacks.
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability. The source item URL provides additional context from the NVD database. The patch and issue tracking references from GitHub provide further details on the fix and the issue.
Official resources
-
CVE-2026-32875 CVE record
CVE.org
-
CVE-2026-32875 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.