CVE-2026-32874

ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers.

Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks.

The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get int max str digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.

ujson.loads(str(2 ** 64 - 1)) # No leak
ujson.loads(str(2 ** 64)) # Leaks
ujson.loads(str(10 ** sys.get int max str digits())) # Leaks and raises ValueError

The leak is fixed in ujson 5.12.0 (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.

Discovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)