High severity7.5GHSA Advisory· Published May 27, 2026· Updated Jun 2, 2026
CVE-2026-44660
CVE-2026-44660
Description
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ujsonPyPI | < 5.12.1 | 5.12.1 |
Affected products
3- osv-coords2 versions
< 1.23.0-r5+ 1 more
- (no CPE)range: < 1.23.0-r5
- (no CPE)range: < 5.12.1
Patches
Vulnerability mechanics
References
5- github.com/ultrajson/ultrajson/commit/82af1d0ac01d09aa40c887b460d44b9d9f4bccd9nvdPatchWEB
- github.com/ultrajson/ultrajson/security/advisories/GHSA-c38f-wx89-p2xgnvdExploitMitigationPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-c38f-wx89-p2xgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44660ghsaADVISORY
- github.com/ultrajson/ultrajson/releases/tag/5.12.1nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.