{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-32874", "tracking": { "current_release_date": "2026-03-25T18:37:51.242647Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-32874", "initial_release_date": "2026-03-18T13:39:36.713303Z", "revision_history": [ { "date": "2026-03-18T13:39:36.713303Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-18T13:39:40.922125Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-19T11:40:12.663110Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-20T18:24:13.373943Z", "number": "4", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:24:16.579165Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:24:23.247093Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-20T18:24:25.690613Z", "number": "7", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:32:27.549875Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (6).| Product Identifiers created (3).| Product Remediations created (6).| References created (5).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-20T18:32:31.787890Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-20T18:36:28.633992Z", "number": "10", "summary": "Unknown change." }, { "date": "2026-03-20T21:41:37.102407Z", "number": "11", "summary": "References created (1)." }, { "date": "2026-03-20T21:59:27.338776Z", "number": "12", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T21:59:30.416363Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-03-21T00:44:47.917302Z", "number": "14", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (1).| Products connected (1)." }, { "date": "2026-03-21T13:47:21.907173Z", "number": "15", "summary": "References removed (1)." }, { "date": "2026-03-22T00:51:47.695265Z", "number": "16", "summary": "References created (1)." }, { "date": "2026-03-22T11:24:50.823004Z", "number": "17", "summary": "References removed (1)." }, { "date": "2026-03-23T00:53:57.722137Z", "number": "18", "summary": "References created (1)." }, { "date": "2026-03-23T05:15:54.365925Z", "number": "19", "summary": "References removed (1)." }, { "date": "2026-03-24T02:10:48.760732Z", "number": "20", "summary": "Products created (1).| Product Identifiers created (1)." }, { "date": "2026-03-24T02:10:59.020756Z", "number": "21", "summary": "NCSC Score updated." }, { "date": "2026-03-24T20:56:18.318210Z", "number": "22", "summary": "References created (1)." }, { "date": "2026-03-25T18:37:06.482826Z", "number": "23", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (9).| Product Identifiers created (8).| References created (4).| CWES updated (1)." } ], "status": "interim", "version": "23" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/16.2", "product": { "name": "vers:rpm/16.2", "product_id": "CSAFPID-1441187", "product_identification_helper": { "cpe": "cpe:/a:redhat:openstack:16.2" } } } ], "category": "product_name", "name": "Red Hat OpenStack Platform 16.2" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/17.1", "product": { "name": "vers:rpm/17.1", "product_id": "CSAFPID-1441193", "product_identification_helper": { "cpe": "cpe:/a:redhat:openstack:17.1" } } } ], "category": "product_name", "name": "Red Hat OpenStack Platform 17.1" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/18.0", "product": { "name": "vers:rpm/18.0", "product_id": "CSAFPID-1441197", "product_identification_helper": { "cpe": "cpe:/a:redhat:openstack:18.0" } } } ], "category": "product_name", "name": "Red Hat OpenStack Platform 18.0" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5875022" } } ], "category": "product_name", "name": "python-ujson" } ], "category": "product_family", "name": "Red Hat OpenStack Platform 16.2" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5875023" } } ], "category": "product_name", "name": "python-ujson" } ], "category": "product_family", "name": "Red Hat OpenStack Platform 17.1" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5875026" } } ], "category": "product_name", "name": "python-ujson" } ], "category": "product_family", "name": "Red Hat OpenStack Platform 18.0" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=5.4.0|<5.12.0", "product": { "name": "vers:unknown/>=5.4.0|<5.12.0", "product_id": "CSAFPID-5895588", "product_identification_helper": { "cpe": "cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*" } } } ], "category": "product_name", "name": "UltraJSON" } ], "category": "vendor", "name": "UltraJSON Project" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5879011" } } ], "category": "product_name", "name": "ujson" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-1404751" } } ], "category": "product_name", "name": "ujson" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/5.10.0", "product": { "name": "vers:unknown/5.10.0", "product_id": "CSAFPID-5908036", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.10.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.11.0", "product": { "name": "vers:unknown/5.11.0", "product_id": "CSAFPID-5908037", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.11.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.4.0", "product": { "name": "vers:unknown/5.4.0", "product_id": "CSAFPID-5908038", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.4.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.5.0", "product": { "name": "vers:unknown/5.5.0", "product_id": "CSAFPID-5908039", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.5.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.6.0", "product": { "name": "vers:unknown/5.6.0", "product_id": "CSAFPID-5908040", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.6.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.7.0", "product": { "name": "vers:unknown/5.7.0", "product_id": "CSAFPID-5908041", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.7.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.8.0", "product": { "name": "vers:unknown/5.8.0", "product_id": "CSAFPID-5908042", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.8.0" } } }, { "category": "product_version_range", "name": "vers:unknown/5.9.0", "product": { "name": "vers:unknown/5.9.0", "product_id": "CSAFPID-5908043", "product_identification_helper": { "purl": "pkg:pypi/ujson@5.9.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=5.4.0|<5.12.0", "product": { "name": "vers:unknown/>=5.4.0|<5.12.0", "product_id": "CSAFPID-5908044" } } ], "category": "product_name", "name": "ujson" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=5.4.0|<5.12.0", "product": { "name": "vers:unknown/>=5.4.0|<5.12.0", "product_id": "CSAFPID-5874292" } } ], "category": "product_name", "name": "ultrajson" } ], "category": "vendor", "name": "ultrajson" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-32874", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "notes": [ { "category": "description", "text": "#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1)) # No leak\nujson.loads(str(2 ** 64)) # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)", "title": "github - https://github.com/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "description", "text": "#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1)) # No leak\nujson.loads(str(2 ** 64)) # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)", "title": "github - https://api.github.com/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "description", "text": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32874" }, { "category": "description", "text": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32874.json" }, { "category": "description", "text": "A flaw was found in UltraJSON, a fast JSON encoder and decoder. A remote attacker can exploit this vulnerability by providing specially crafted JSON input that contains extremely large integers. When UltraJSON attempts to parse these inputs, it leads to an accumulating memory leak. This excessive memory consumption can ultimately result in a denial of service (DoS) for any service that processes untrusted JSON inputs using UltraJSON.\nThis IMPORTANT flaw in UltraJSON can lead to a denial of service in services that process untrusted JSON inputs. Specially crafted JSON containing excessively large integers can trigger a memory leak, consuming system resources. This affects Red Hat OpenStack Platform and Community Projects utilizing `python-ujson`.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32874.json" }, { "category": "description", "text": "UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of service attacks. This issue has been fixed in version 5.12.0.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-32874" }, { "category": "description", "text": "#### Summary\n\nujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing _large_ (outside of the range [-2^63, 2^64 - 1]) integers.\n\n#### Exploitability\n\nAny service that calls `ujson.load()`/`ujson.loads()`/`ujson.decode()` on untrusted inputs is affected and vulnerable to denial of service attacks.\n\n#### Details\n\nThe leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than `sys.get_int_max_str_digits()` digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload.\n\n```python\nujson.loads(str(2 ** 64 - 1)) # No leak\nujson.loads(str(2 ** 64)) # Leaks\nujson.loads(str(10 ** sys.get_int_max_str_digits())) # Leaks and raises ValueError\n```\n\n#### Fix\n\nThe leak is fixed in `ujson 5.12.0` (4baeb950df780092bd3c89fc702a868e99a3a1d2). There are no workarounds beyond upgrading to an unaffected version.\n\n#### Credits\n\nDiscovered by Cameron Criswell/Skevros using Coverage-guided fuzzing (libFuzzer + AddressSanitizer)", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-wgvc-ghv9-3pmm.json?alt=media" }, { "category": "other", "text": "0.00048", "title": "EPSS" }, { "category": "other", "text": "4.2", "title": "NCSC Score" }, { "category": "other", "text": "There is product_remediation data available from source Redhat", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5874292", "CSAFPID-1441187", "CSAFPID-1441193", "CSAFPID-1441197", "CSAFPID-5875022", "CSAFPID-5875023", "CSAFPID-5875026", "CSAFPID-1404751", "CSAFPID-5879011", "CSAFPID-5895588", "CSAFPID-5908036", "CSAFPID-5908037", "CSAFPID-5908038", "CSAFPID-5908039", "CSAFPID-5908040", "CSAFPID-5908041", "CSAFPID-5908042", "CSAFPID-5908043", "CSAFPID-5908044" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32874" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32874.json" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32874.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-32874" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/PyPI%2FGHSA-wgvc-ghv9-3pmm.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/ultrajson/ultrajson/commit/4baeb950df780092bd3c89fc702a868e99a3a1d2" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv; redhat", "url": "https://github.com/ultrajson/ultrajson/releases/tag/5.12.0" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-wgvc-ghv9-3pmm" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32874" }, { "category": "external", "summary": "Reference - github; osv; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32874" } ], "remediations": [ { "category": "mitigation", "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "product_ids": [ "CSAFPID-1441187", "CSAFPID-1441193", "CSAFPID-1441197", "CSAFPID-5875022", "CSAFPID-5875023", "CSAFPID-5875026" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1404751", "CSAFPID-1441187", "CSAFPID-1441193", "CSAFPID-1441197", "CSAFPID-5874292", "CSAFPID-5875022", "CSAFPID-5875023", "CSAFPID-5875026", "CSAFPID-5879011", "CSAFPID-5895588", "CSAFPID-5908036", "CSAFPID-5908037", "CSAFPID-5908038", "CSAFPID-5908039", "CSAFPID-5908040", "CSAFPID-5908041", "CSAFPID-5908042", "CSAFPID-5908043", "CSAFPID-5908044" ] } ], "title": "CVE-2026-32874" } ] }