EXECUTIVE SUMMARY:
CVE-2026-44660 with a CVSS score of 8.7 is a memory leak vulnerability in the UltraJSON library, specifically in the `ujson .dump()` function on write failure. The vulnerability affects ujson versions less than or equal to 5.12.0, and can be exploited by an attacker who can influence a file-like object used for writing JSON data. An attacker can leverage this vulnerability by repeatedly causing write failures, leading to linear memory growth and eventually driving the application into memory exhaustion. This can have severe business impact, particularly in applications that rely on serializing data through `ujson.dump()` to an attacker-influenced file-like object that can fail, such as web servers sending JSON responses. To exploit this vulnerability, an attacker requires write access to the file-like object, allowing them to influence the write failure and induce the memory leak.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44660 with a CVSS score of 8.7 is a memory leak vulnerability in the UltraJSON library, specifically in the `ujson .dump()` function on write failure. The vulnerability affects ujson versions less than or equal to 5.12.0, and can be exploited by an attacker who can influence a file-like object used for writing JSON data. An attacker can leverage this vulnerability by repeatedly causing write failures, leading to linear memory growth and eventually driving the application into memory exhaustion. This can have severe business impact, particularly in applications that rely on serializing data through `ujson.dump()` to an attacker-influenced file-like object that can fail, such as web servers sending JSON responses. To exploit this vulnerability, an attacker requires write access to the file-like object, allowing them to influence the write failure and induce the memory leak.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update ujson to version 5.12.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c38f-wx89-p2xg