CVE-2026-32875: UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. This issue has been fixed in version 5.12.0.
Security readout for executives and security teams
Plain-English summary
UltraJSON can crash or hang Python services when JSON output indentation is mishandled. The risk is denial of service, not data theft. Exposure is narrower than a typical library flaw because attackers need influence over the indent value or the service must use an unsafe negative indent.
Executive priority
Treat as a high-priority availability issue for Python services using UltraJSON in request paths. Urgency is highest where external users can influence formatting options or trigger nested JSON serialization.
Technical view
Integer overflow or underflow in UltraJSON indentation size calculation can cause a buffer overflow crash or infinite loop. Reported impact is availability loss in ujson.dump(), ujson.dumps(), or ujson.encode(). The source bundle states fixed version 5.12.0, but gives inconsistent affected ranges: 5.10-5.11.0 and >=5.1.0,<5.12.0.
Likely exposure
Python applications using UltraJSON before 5.12.0 are relevant. Practical exposure depends on whether application code passes attacker-controlled indent values, permits very large indentation, or uses fixed negative indentation with nested input.
Exploitation context
The bundle reports no KEV listing and provides no cited evidence of active exploitation. The described abuse is remote denial of service when a reachable service serializes nested JSON with unsafe indentation parameters.
Researcher notes
Focus triage on data flow into the indent parameter, not merely library presence. Document the version-range discrepancy from the bundle and rely on vendor advisory, commit, and downstream vendor statements for final affected-version decisions.
Mitigation direction
Upgrade UltraJSON to version 5.12.0 or later.
Restrict indent to small, non-negative values before calling UltraJSON.
Remove user control over serialization indentation where possible.
Check vendor guidance for downstream package status and backports.
Prioritize internet-facing APIs that serialize user-influenced JSON.
Validation and detection
Inventory UltraJSON versions in application dependencies and containers.
Review ujson.dump, dumps, and encode call sites for indent handling.
Confirm no request parameter or user preference controls indent unsafely.
Check for fixed negative indent values with nested JSON serialization.
Use dependency scanning to flag UltraJSON versions below 5.12.0.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-190: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.