PatchSiren

ultrajson CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH ultrajson CVE published 2026-05-27

CVE-2026-44660

UltraJSON (ujson) versions prior to 5.12.1 contain a memory leak vulnerability in the `ujson.dump()` function. When writing to a file-like object, if the underlying write operation raises an exception, the serialized JSON string object is not properly decremented, causing memory to leak. The leaked memory equals the full size of the serialized payload for each failed write operation. This vulnerability is [truncated]

HIGH ultrajson CVE published 2026-03-20

CVE-2026-32875

CVE-2026-32875 is a high-severity vulnerability in UltraJSON, a fast JSON encoder and decoder for Python. The vulnerability affects versions 5.10 through 5.11.0 and can lead to a buffer overflow or infinite loop through large indent handling. The issue arises when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX, causing the Python interpreter to crash or get stuck i [truncated]