CVE-2026-44660
Analyzed Analyzed - Analysis Complete
Memory Leak in UltraJSON JSON Serialization

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-44660
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ultrajson_project ultrajson to 5.12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in UltraJSON, a fast JSON encoder and decoder written in pure C with Python bindings. Before version 5.12.1, when the function ujson.dump() attempts to write JSON data to a file-like object and the write operation fails by raising an exception, the memory allocated for the serialized JSON string is not properly released. This causes a memory leak where the full size of the serialized payload remains allocated even after the failure.

Impact Analysis

This vulnerability can lead to memory leaks in applications using UltraJSON versions prior to 5.12.1 when writing JSON data to file-like objects fails. Over time, repeated failed write operations can consume increasing amounts of memory, potentially degrading system performance or causing the application to crash due to exhaustion of available memory.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade UltraJSON (ujson) to version 5.12.1 or later, where the memory leak issue during failed write operations has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart