CVE-2026-44660: UltraJSON has a Memory Leak in ujson.dump() on Write Failure

May 12, 2026 (updated June 8, 2026)

When ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload.

Code that uses ujson.dumps() rather than ujson.dump() or only JSON load/decode methods is unaffected.

References

github.com/advisories/GHSA-c38f-wx89-p2xg
github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9
github.com/ultrajson/ultrajson/releases/tag/5.12.1
github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xg
nvd.nist.gov/vuln/detail/CVE-2026-44660

Code Behaviors & Features

Detect and mitigate CVE-2026-44660 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →