CVE-2026-44660
7.5 HIGHUltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+
Published: 2026-05-27 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-401
Affected products
| Vendor | Product |
|---|---|
| ultrajson_project | ultrajson |
Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44660
- [Patch]https://github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
- [Other]https://github.com/ultrajson/ultrajson/releases/tag/5.12.1
- [Patch]https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
- [Patch]https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
Related CVEs
Same CWE
- CVE-2026-0646 — A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests
- CVE-2026-48059 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
- CVE-2026-48043 — Netty is a network application framework for development of protocol servers and clients (5.3 MEDIUM)
- CVE-2026-48006 — Netty is a network application framework for development of protocol servers and clients (7.5 HIGH)
- CVE-2026-20746 — Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap w...