CVE-2026-44660
Memory Leak in UltraJSON JSON Serialization
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ultrajson | ultrajson | 5.12.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in UltraJSON, a fast JSON encoder and decoder written in pure C with Python bindings. Before version 5.12.1, when the function ujson.dump() attempts to write JSON data to a file-like object and the write operation fails by raising an exception, the memory allocated for the serialized JSON string is not properly released. This causes a memory leak where the full size of the serialized payload remains allocated even after the failure.
How can this vulnerability impact me? :
This vulnerability can lead to memory leaks in applications using UltraJSON versions prior to 5.12.1 when writing JSON data to file-like objects fails. Over time, repeated failed write operations can consume increasing amounts of memory, potentially degrading system performance or causing the application to crash due to exhaustion of available memory.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade UltraJSON (ujson) to version 5.12.1 or later, where the memory leak issue during failed write operations has been fixed.