CVE-2026-44660

Name of the Vulnerable Software and Affected Versions UltraJSON versions prior to 5.12.1

Description A memory leak occurs when the ujson.dump() function writes to a file-like object and the write operation raises an exception. The objToJSONFile() function allocates a Python string object but fails to call Py DECREF(string) on the early exit path during a write failure, causing the full size of the serialized payload to be leaked. This can lead to linear memory growth if an application serializes data to an attacker-influenced file-like object that can fail, potentially exhausting the memory of a web server.

Recommendations Update to version 5.12.1. As a temporary workaround, replace the use of ujson.dump(obj, file) with file.write(ujson.dumps(obj)) to avoid the memory leak.