Python UltraJSON, Memory Leak (ujsondump write failure), CVE-2026-44660 (Medium)

Listen to this Post

Technical Details – How the CVE Works

The vulnerability resides in the `objToJSONFile()` function inside src/ujson/python/objToJSON.c. When `ujson.dump()` writes to a file‑like object, the function first allocates a Python string object by calling ujson_dumps_internal(). This string holds the full serialized JSON payload. The function then attempts to write that string to the provided file‑like object by invoking its `write()` method. If the `write()` operation raises an exception (for instance, because the remote client closes the connection mid‑response), the code returns early through error‑handling paths located at line 931 and line 942. However, those early‑return paths never call `Py_DECREF(string)` on the allocated string object. As a result, the reference count of the string is not decremented, and the memory consumed by the serialized payload is never freed. Each failed write operation leaks memory equal to the size of the JSON payload that was being sent. An attacker who can trigger repeated write failures (e.g., by closing a network connection while a web server is responding with a large JSON object) can cause linear memory growth, eventually exhausting all available memory and leading to a denial‑of‑service condition. The issue is fixed in UltraJSON 5.12.1, where the missing `Py_DECREF()` calls have been added.

DailyCVE Form

Platform: Python (UltraJSON)
Version: < 5.12.1
Vulnerability: Memory leak (ujson.dump)
Severity: Medium
Date: 2026-05-11

Prediction: Patch available 2026-05-06

What Undercode Say:

Reproduce the memory leak
python3 -c "
import gc, tracemalloc, ujson
class BadFile:
def write(self, s):
raise RuntimeError('boom')
obj = {'x': 'A' 200000}
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[bash]
for i in range(5):
try:
ujson.dump(obj, BadFile())
except RuntimeError:
pass
gc.collect()
cur = tracemalloc.get_traced_memory()[bash]
print(i, cur - base)
"

Exploit:

An attacker repeatedly sends HTTP requests to a web server that returns JSON responses using ujson.dump(). Immediately after each request, the attacker closes the TCP connection, causing the `write()` method to raise an exception. The server leaks the full size of each JSON response. Over time, memory consumption grows linearly, leading to server crash and denial of service.

Protection from this CVE

  • Upgrade to UltraJSON version 5.12.1 or later.
  • As a workaround, replace `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` — this avoids the vulnerable code path.

Impact

Denial of service due to uncontrolled memory growth. A remote attacker can exhaust all available memory on the target system, causing the application to crash or become unresponsive.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top