UltraJSON vulnerabilities
Published: Tue, 28 Apr 2026 17:32
Summary
Several security issues were fixed in UltraJSON.
Details
Cameron Criswell discovered that UltraJSON contained a memory leak that would occur when parsing large integers. An attacker could possibly use this issue to cause UltraJSON to crash, resulting in a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-32874) It was discovered that UltraJSON contained integer overflow/underflow issues when calculating how much memory to reserve for indentation in certain instances. An attacker could possibly use this issue to cause UltraJSON to crash, resulting in a denial of service. (CVE-2026-32875)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu jammy
ujson→5.1.0-1ubuntu0.1~esm2apt_upgrade_esmFixed at 5.1.0-1ubuntu0.1~esm2 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y ujson=5.1.0-1ubuntu0.1~esm2
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
python3-ujson→5.1.0-1ubuntu0.1~esm2apt_upgrade_esmFixed at 5.1.0-1ubuntu0.1~esm2 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y python3-ujson=5.1.0-1ubuntu0.1~esm2
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu noble
ujson→5.9.0-1ubuntu0.1~esm1apt_upgrade_esmFixed at 5.9.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y ujson=5.9.0-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
python3-ujson→5.9.0-1ubuntu0.1~esm1apt_upgrade_esmFixed at 5.9.0-1ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y python3-ujson=5.9.0-1ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu questing
ujson→5.10.0-1ubuntu0.1apt_upgradeStandard apt upgrade. Install 5.10.0-1ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y ujson
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-ujson→5.10.0-1ubuntu0.1apt_upgradeStandard apt upgrade. Install 5.10.0-1ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-ujson
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu resolute
ujson→5.11.0-3ubuntu0.1apt_upgradeStandard apt upgrade. Install 5.11.0-3ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y ujson
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-ujson→5.11.0-3ubuntu0.1apt_upgradeStandard apt upgrade. Install 5.11.0-3ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-ujson
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8219-1?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8219-1 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.