2449411 – (CVE-2026-32874) CVE-2026-32874 UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers

Bug 2449411 (CVE-2026-32874) - CVE-2026-32874 UltraJSON: UltraJSON: Denial of Service due to memory leak when parsing large integers

Summary: CVE-2026-32874 UltraJSON: UltraJSON: Denial of Service due to memory leak whe...

Keywords:
Status:	NEW
Alias:	CVE-2026-32874
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2449470 2449466 2449468 2449472 2449474
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-20 03:03 UTC by OSIDB Bzimport
Modified:	2026-03-20 06:44 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-20 03:03:34 UTC

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.

Note You need to log in before you can comment on or make changes to this bug.