Cyber Resilience

CVE-2026-32874

High

Published: 20 March 2026

Published
20 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32874 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Ultrajson Project Ultrajson. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-32874 is an accumulating memory leak vulnerability in UltraJSON, a fast JSON encoder and decoder implemented in C with Python 3.7+ bindings. It affects versions 5.4.0 through 5.11.0, where parsing large integers outside the range [-2^63, 2^64 - 1] leaks memory equivalent to the string representation of the integer plus a NULL byte. This leak persists regardless of whether the integer parses successfully or is rejected due to exceeding sys.get_int_max_str_digits() digits, enabling controlled memory exhaustion based on payload size.

Remote attackers can exploit this vulnerability without authentication or user interaction by submitting malicious JSON payloads containing oversized integers to any service invoking ujson.load(), ujson.loads(), or ujson.decode() on untrusted inputs. The attack requires network access and low complexity, achieving high-impact denial of service through progressive memory exhaustion, as scored 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-401.

The issue is addressed in UltraJSON version 5.12.0, as detailed in the project's security advisory (GHSA-wgvc-ghv9-3pmm), release notes, and fixing commit (4baeb950df780092bd3c89fc702a868e99a3a1d2). Security practitioners should upgrade affected services immediately and audit for untrusted JSON processing with these functions.

EU & UK References

Vulnerability details

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The…

more

leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Memory leak in JSON parser directly enables remote application memory exhaustion DoS via crafted oversized integer payloads (T1499.003 Application Exhaustion Flood).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32875Same product: Ultrajson Project Ultrajson
CVE-2026-33852Shared CWE-401
CVE-2026-23414Shared CWE-401
CVE-2026-25988Shared CWE-401
CVE-2025-0241Shared CWE-401
CVE-2026-25796Shared CWE-401
CVE-2025-1634Shared CWE-401
CVE-2026-23095Shared CWE-401
CVE-2026-25969Shared CWE-401
CVE-2026-20012Shared CWE-401

Affected Assets

ultrajson project
ultrajson
5.4.0 — 5.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the memory leak vulnerability by requiring timely patching of UltraJSON to version 5.12.0 or later.

prevent

Validates untrusted JSON inputs to reject oversized integers or payloads that trigger the accumulating memory leak during parsing.

preventdetect

Implements denial-of-service protections such as resource quotas and rate limiting to mitigate memory exhaustion from malicious JSON payloads.

References