Double free of buffer during string decoding in ujson
Description
UltraJSON prior to 5.4.0 has a double-free vulnerability during string decoding that is not exploitable from Python; fixed in 5.4.0 with no workaround.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UltraJSON prior to 5.4.0 has a double-free vulnerability during string decoding that is not exploitable from Python; fixed in 5.4.0 with no workaround.
CVE-2022-31117 describes a double-free vulnerability in UltraJSON versions prior to 5.4.0. The bug occurs when an error arises during reallocation of a buffer for string decoding, leading to the same buffer being freed twice [1]. This is a classic memory corruption issue in the C core of the library.
The vulnerability is not exploitable from Python code due to the way UltraJSON's internal decoder handles errors [1]. The attack surface is therefore limited to scenarios where an attacker can directly interact with the underlying C library outside of Python bindings, which is unlikely in typical usage.
If triggered, a double free can lead to heap corruption, potentially causing a denial of service or arbitrary code execution in contexts where the C library is directly exposed. However, the impossibility of triggering it from Python significantly reduces the practical risk.
The issue is fixed in UltraJSON version 5.4.0 [1]. Users are advised to upgrade, and there are no known workarounds [1]. The project is in maintenance mode, and users are encouraged to migrate to alternative libraries like orjson [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ujsonPyPI | < 5.4.0 | 5.4.0 |
Affected products
9- ghsa-coords8 versionspkg:pypi/ujsonpkg:rpm/opensuse/python-ujson&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-ujson&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-ujson&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4pkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/python-ujson&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP4
< 5.4.0+ 7 more
- (no CPE)range: < 5.4.0
- (no CPE)range: < 1.35-150100.3.5.1
- (no CPE)range: < 1.35-150100.3.5.1
- (no CPE)range: < 5.10.0-1.5
- (no CPE)range: < 1.35-150100.3.5.1
- (no CPE)range: < 1.35-150100.3.5.1
- (no CPE)range: < 1.35-150100.3.5.1
- (no CPE)range: < 1.35-150100.3.5.1
Patches
19c20de0f77b3Merge pull request from GHSA-fm67-cv37-96ff
1 file changed · +1 −1
lib/ultrajsondec.c+1 −1 modified@@ -384,7 +384,7 @@ static FASTCALL_ATTR JSOBJ FASTCALL_MSVC decode_string ( struct DecoderState *ds escStart = (JSUINT32 *)ds->dec->realloc(ds->escStart, newSize * sizeof(JSUINT32)); if (!escStart) { - ds->dec->free(ds->escStart); + // Don't free ds->escStart here; it gets handled in JSON_DecodeObject. return SetError(ds, -1, "Could not reserve memory block"); } ds->escStart = escStart;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-fm67-cv37-96ffghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2022-31117ghsaADVISORY
- github.com/ultrajson/ultrajson/commit/9c20de0f77b391093967e25d01fb48671104b15bghsax_refsource_MISCWEB
- github.com/ultrajson/ultrajson/security/advisories/GHSA-fm67-cv37-96ffghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NAU5N4A7EUK2AMUCOLYDD5ARXAJYZBD2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OPPU5FZP3LCTXYORFH7NHUMYA5X66IA7ghsaWEB
News mentions
0No linked articles in our index yet.