CVE-2026-32874
Published: 20 March 2026
Summary
CVE-2026-32874 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Ultrajson Project Ultrajson. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 22.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the memory leak vulnerability by requiring timely patching of UltraJSON to version 5.12.0 or later.
Validates untrusted JSON inputs to reject oversized integers or payloads that trigger the accumulating memory leak during parsing.
Implements denial-of-service protections such as resource quotas and rate limiting to mitigate memory exhaustion from malicious JSON payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory leak in JSON parser directly enables remote application memory exhaustion DoS via crafted oversized integer payloads (T1499.003 Application Exhaustion Flood).
NVD Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The…
more
leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.
Deeper analysisAI
CVE-2026-32874 is an accumulating memory leak vulnerability in UltraJSON, a fast JSON encoder and decoder implemented in C with Python 3.7+ bindings. It affects versions 5.4.0 through 5.11.0, where parsing large integers outside the range [-2^63, 2^64 - 1] leaks memory equivalent to the string representation of the integer plus a NULL byte. This leak persists regardless of whether the integer parses successfully or is rejected due to exceeding sys.get_int_max_str_digits() digits, enabling controlled memory exhaustion based on payload size.
Remote attackers can exploit this vulnerability without authentication or user interaction by submitting malicious JSON payloads containing oversized integers to any service invoking ujson.load(), ujson.loads(), or ujson.decode() on untrusted inputs. The attack requires network access and low complexity, achieving high-impact denial of service through progressive memory exhaustion, as scored 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-401.
The issue is addressed in UltraJSON version 5.12.0, as detailed in the project's security advisory (GHSA-wgvc-ghv9-3pmm), release notes, and fixing commit (4baeb950df780092bd3c89fc702a868e99a3a1d2). Security practitioners should upgrade affected services immediately and audit for untrusted JSON processing with these functions.
Details
- CWE(s)