Buffer Overflow and Infinite Loop in UltraJSON by May Lead to Denial of Service
CVE-2026-32875

7.5HIGH

Key Information:

Vendor

Ultrajson

Status
Ultrajson
Vendor
CVE Published:
20 March 2026

What is CVE-2026-32875?

The UltraJSON library, a JSON encoder and decoder for Python, exhibits a serious vulnerability in versions 5.10 to 5.11.0, stemming from improper handling of the indent parameter. When input data generates an indent value multiplied by a nested depth exceeding INT32_MAX, it leads to a buffer overflow that results in a segmentation fault, crashing the Python interpreter. Additionally, if a large negative number is used as the indent value, it can cause the system to enter an infinite loop. Services using ujson.dump(), ujson.dumps(), or ujson.encode() with untrusted user input for indentation are particularly at risk. The design flaw can be mitigated by upgrading to version 5.12.0, which resolves these vulnerabilities.

Affected Version(s)

ultrajson >= 5.1.0, < 5.12.0

References

https://github.com/ultrajson/ultrajson/security/advisorie...
x_refsource_CONFIRM
https://github.com/ultrajson/ultrajson/issues/700
x_refsource_MISC
https://github.com/ultrajson/ultrajson/commit/486bd4553dc...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.