PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44660 ultrajson CVE debrief

UltraJSON (ujson) versions prior to 5.12.1 contain a memory leak vulnerability in the `ujson.dump()` function. When writing to a file-like object, if the underlying write operation raises an exception, the serialized JSON string object is not properly decremented, causing memory to leak. The leaked memory equals the full size of the serialized payload for each failed write operation. This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). The issue was fixed in version 5.12.1. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high availability impact.

Vendor
ultrajson
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Python applications with UltraJSON for high-throughput JSON serialization, particularly those with long-running processes or constrained memory environments. Developers using custom file-like objects with ujson.dump() should prioritize patching.

Technical summary

The vulnerability exists in the C implementation of ujson.dump(). When the function serializes a Python object to JSON and attempts to write to a file-like object, it creates a Python string object containing the serialized data. If the write() method of the file-like object raises an exception, the code path fails to call Py_DECREF on the serialized string object before returning, resulting in a memory leak proportional to the size of the serialized JSON payload. This can be exploited in scenarios where an attacker can influence write failures or in long-running processes where accumulated leaks cause denial of service through memory exhaustion.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade UltraJSON to version 5.12.1 or later
  • Audit application code for exception handling around ujson.dump() operations
  • Monitor memory usage in applications performing high-volume JSON serialization
  • Review file-like object implementations for potential write failures that could trigger this leak

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-c38f-wx89-p2xg. Fix commit 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9 addresses the missing Py_DECREF on the serialized string when write exceptions occur.

Official resources

2026-05-27