Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

UltraJSON encodes JSON strings in C and, before version 5.12.1, treats a write failure during ujson.dump() as a non‑cleanup path. The serialization buffer is not released when the underlying file write raises an exception, causing a memory leak that equals the full payload size for each failed write. This flaw can exhaust available memory, leading to denial of service for the process and potentially for the host if the process is privileged. The weakness is a classic resource management error (CWE‑401) and also reflects improper release of resources (CWE‑772).

Affected Systems

The vulnerable library is ultrajson:ultrajson, affecting all installations of UltraJSON prior to version 5.12.1 for Python 3.7 and later. The fix is included in release 5.12.1.

Risk and Exploitability

The CVSS score of 8.7 marks the vulnerability as high severity. Based on the description, it is inferred that an attacker who can control the file‑like destination or trigger a write error—such as by providing a disk‑full or unwritable file or manipulating I/O in a long‑running process—can most readily exploit the flaw. The EPSS score of 0.00052 indicates a very low probability of exploitation, and the issue is not listed in CISA KEV, suggesting that a known exploit is not publicly reported. Based on the description, it is inferred that the attack vector is local, requiring control over the process or environment that triggers a write error, and that local code execution or privilege escalation that enables usage of ujson.dump() would compound the risk.

Generated by OpenCVE AI on June 9, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UltraJSON to version 5.12.1 or later.
  • Avoid writing serialized JSON to file‑like objects that may raise exceptions without proper error handling; use try‑except blocks to catch write errors before they lead to leak conditions.
  • Configure deployment environments to apply memory limits or container quotas to the Python processes using ujson.dump() in order to mitigate potential exhaustion effects.

Generated by OpenCVE AI on June 9, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c38f-wx89-p2xg UltraJSON has a Memory Leak in ujson.dump() on Write Failure
History

Tue, 09 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 02 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson Project
Ultrajson Project ultrajson
CPEs cpe:2.3:a:ultrajson_project:ultrajson:*:*:*:*:*:python:*:*
Vendors & Products Ultrajson Project
Ultrajson Project ultrajson
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 30 May 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson
Ultrajson ultrajson
Vendors & Products Ultrajson
Ultrajson ultrajson

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
Title UltraJSON: Memory Leak in ujson.dump() on Write Failure
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ultrajson Ultrajson
Ultrajson Project Ultrajson
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T01:49:35.278Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44660

cve-icon Vulnrichment

Updated: 2026-05-30T01:49:25.859Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T21:16:17.650

Modified: 2026-06-02T18:00:03.403

Link: CVE-2026-44660

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T20:42:59Z

Links: CVE-2026-44660 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T14:00:06Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime