CVE-2026-32875
Published: 20 March 2026
Summary
CVE-2026-32875 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Ultrajson Project Ultrajson. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and correction of flaws like the integer overflow/underflow in UltraJSON, preventing DoS crashes or infinite loops via patching to version 5.12.0.
Mandates validation of untrusted inputs such as large or negative indent parameters to block integer overflows/underflows that trigger buffer overflows or infinite loops.
Protects system availability against DoS attacks exploiting malformed indentation to crash the Python interpreter or cause CPU exhaustion via infinite loops.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote integer overflow/underflow in UltraJSON enables application crash or infinite loop via untrusted indent input, directly matching Application or System Exploitation for Endpoint DoS.
NVD Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault)…
more
when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
Deeper analysisAI
CVE-2026-32875 affects UltraJSON, a fast JSON encoder and decoder written in pure C with bindings for Python 3.7 and later. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop conditions triggered by large indent values in functions like ujson.dumps(), ujson.dump(), and ujson.encode(). The issues stem from integer overflow or underflow during memory reservation calculations for indentation: a product of the indent parameter and input nested depth exceeding INT32_MAX causes a segmentation fault and Python interpreter crash, while a large negative indent leads to an infinite loop. These flaws, published on 2026-03-20, are classified under CWE-190 (Integer Overflow or Wraparound), CWE-787 (Out-of-bounds Write), and CWE-835 (Loop with Unreachable Exit Condition), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any network-accessible service using vulnerable UltraJSON versions can be exploited remotely without authentication or user interaction if it passes untrusted user input as the indent parameter without restricting it to small non-negative values. Attackers can supply a large positive indent combined with deeply nested JSON to trigger the overflow and crash the interpreter, or a large negative indent to induce an infinite loop, both resulting in denial of service. Services using fixed negative indents are also at risk if the input has at least one level of nesting, as underflow occurs reliably in such cases.
Mitigation is available in UltraJSON version 5.12.0, which addresses the integer overflow and underflow issues. Security practitioners should upgrade to this version immediately and validate or sanitize the indent parameter to reasonable non-negative values in applications handling untrusted input. Relevant advisories and fixes are detailed in the GitHub security advisory (GHSA-c8rr-9gxc-jprv), issue tracker (#700), and the fixing commit (486bd4553dc471a1de11613bc7347a6b318e37ea).
Details
- CWE(s)