CVE-2026-32874

Name of the Vulnerable Software and Affected Versions UltraJSON versions 5.4.0 through 5.11.0

Description UltraJSON, a fast JSON encoder and decoder written in C with Python 3.7+ bindings, contains an accumulating memory leak when parsing large integers (outside the range [-2^63, 2^64 - 1]) within JSON data. The leaked memory includes a copy of the integer's string representation plus an additional NULL byte. This leak occurs regardless of whether the integer is successfully parsed or rejected due to exceeding the maximum number of digits allowed by sys.get int max str digits(). Consequently, a malicious JSON payload can trigger a memory leak of any size, provided there is no limit on the overall payload size. Any service utilizing the ujson.load()/ujson.loads()/ujson.decode() functions with untrusted input is susceptible to denial of service attacks. The vulnerability is triggered when processing large integer values within the JSON input.

Recommendations Versions 5.4.0 through 5.11.0 should be upgraded to version 5.12.0 or later.