CVE-2026-44660

UNKNOWN 0.0

UltraJSON: Memory Leak in ujson.dump() on Write Failure

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

12th

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.

CWE	CWE-401
Vendor	ultrajson
Product	ultrajson
Published	May 27, 2026
Last Updated	May 30, 2026

Stay Ahead of the Next One

Get instant alerts for ultrajson ultrajson

Be the first to know when new unknown vulnerabilities affecting ultrajson ultrajson are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ultrajson / ultrajson

< 5.12.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg github.com: https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9 github.com: https://github.com/ultrajson/ultrajson/releases/tag/5.12.1