Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

UltraJSON encodes JSON strings in C and, before version 5.12.1, treats a write failure during ujson.dump() as a non‑cleanup path. The serialization buffer is not released when the underlying file write raises an exception, causing a memory leak that equals the full payload size for each failed write. This flaw can exhaust available memory, leading to denial of service for the process, and potentially for the host if the process is privileged. The weakness is a classic resource management error (CWE‑401).

Affected Systems

The vulnerable library is ultrajson:ultrajson, affecting all installations of UltraJSON prior to version 5.12.1 for Python 3.7 and later. The fix is included in release 5.12.1.

Risk and Exploitability

The CVSS score of 8.7 marks the vulnerability as high severity. Because the flaw is triggered by a write exception, it is most readily exploitable by an attacker who can control the file‑like destination or induce a write error, such as providing a disk‑full or unwritable file or by manipulating I/O in a long‑running process. The EPSS score is not available, and the issue is not listed in CISA KEV, suggesting that a known exploit is not publicly reported. However, the impact of memory exhaustion could affect availability, and the local nature of the attack vector means that local code execution or privilege escalation that enables usage of ujson.dump() would compound the risk.

Generated by OpenCVE AI on May 27, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UltraJSON to version 5.12.1 or later.
  • Avoid writing serialized JSON to file‑like objects that may raise exceptions without proper error handling; use try‑except blocks to catch write errors before they lead to leak conditions.
  • Configure deployment environments to apply memory limits or container quotas to the Python processes using ujson.dump() in order to mitigate potential exhaustion effects.

Generated by OpenCVE AI on May 27, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c38f-wx89-p2xg UltraJSON has a Memory Leak in ujson.dump() on Write Failure
History

Thu, 28 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ultrajson
Ultrajson ultrajson
Vendors & Products Ultrajson
Ultrajson ultrajson

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
Title UltraJSON: Memory Leak in ujson.dump() on Write Failure
Weaknesses CWE-401
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ultrajson Ultrajson
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T20:42:59.830Z

Reserved: 2026-05-07T16:20:08.659Z

Link: CVE-2026-44660

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T21:16:17.650

Modified: 2026-05-27T21:16:17.650

Link: CVE-2026-44660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T02:00:04Z

Weaknesses