CVE-2026-44660

7.5 HIGH
Published: May 27, 2026 Modified: June 02, 2026
View on NVD

Description

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
Source: security-advisories@github.com
Patch
https://github.com/ultrajson/ultrajson/releases/tag/5.12.1
Source: security-advisories@github.com
Product Release Notes
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
Source: security-advisories@github.com
Exploit Mitigation Patch Vendor Advisory
https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Mitigation Patch Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
0.1%
17th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-401

Affected Vendors

ultrajson_project

Related CVEs

CVE-2026-6517 6.3
CVE-2026-5242 8.8
CVE-2026-5233 7.1
CVE-2026-5230 7.1
CVE-2026-5079 7.5