PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32875 ultrajson CVE debrief

CVE-2026-32875 is a high-severity vulnerability in UltraJSON, a fast JSON encoder and decoder for Python. The vulnerability affects versions 5.10 through 5.11.0 and can lead to a buffer overflow or infinite loop through large indent handling. The issue arises when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX, causing the Python interpreter to crash or get stuck in an infinite loop. This vulnerability can be exploited to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() while giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. The issue has been fixed in version 5.12.0.

Vendor
ultrajson
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-06-30
Advisory published
2026-03-20
Advisory updated
2026-06-30

Who should care

Developers and administrators using UltraJSON versions 5.10 through 5.11.0 should be aware of this vulnerability and take necessary precautions to prevent exploitation. Services that use UltraJSON and allow untrusted users to control the indent parameter are particularly vulnerable. Additionally, services using a fixed negative indent may also be vulnerable to the infinite loop. Users of UltraJSON should prioritize upgrading to version 5.12.0 or later to mitigate this vulnerability.

Technical summary

The vulnerability in UltraJSON arises from an integer overflow/underflow when calculating memory for indentation. When the product of the indent parameter and the nested depth of the input exceeds INT32_MAX, it can lead to a buffer overflow or infinite loop. The ujson.dumps() function crashes the Python interpreter (segmentation fault) in such cases. For negative indents, an underflow occurs, which can lead to an infinite loop if the input data is at least one level nested. The CVSS score for this vulnerability is 7.5, indicating a high severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

This vulnerability has a high defensive priority due to its potential for denial-of-service attacks. Affected services should prioritize patching to version 5.12.0 or later.

Recommended defensive actions

  • Upgrade UltraJSON to version 5.12.0 or later.
  • Restrict the indent parameter to reasonably small non-negative values.
  • Avoid using fixed negative indents.
  • Monitor services that use UltraJSON for potential exploitation attempts.
  • Implement additional security measures to prevent denial-of-service attacks.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability. The source item URL provides additional context from the NVD database. The patch and issue tracking references from GitHub provide further details on the fix and the issue.

Official resources

This article is AI-assisted and based on the supplied source corpus.