CVE-2026-44660: ujson Memory Leak in dump() Enables Resource Exhaustion on Write Failure

A critical memory leak vulnerability has been identified in UltraJSON (ujson) versions 5.12.0 and earlier, tracked as CVE-2026-44660 and documented under GitHub Security Advisory GHSA-c38f-wx89-p2xg. The flaw resides in the `ujson.dump()` function when serializing data to file-like objects. When a write operation raises an exception, the serialized JSON string object fails to decrement properly, causing memory to leak. Each failed write operation leaks the full size of the serialized payload, creating a compounding resource exhaustion risk for applications that encounter repeated write failures.

The vulnerability affects any Python application relying on `ujson.dump()` for JSON serialization to writable destinations—particularly services handling high-volume data streams, file exports, or network transmissions where I/O errors can occur intermittently. The security advisory classifies the flaw as exploitable by an attacker who can trigger write failures at scale, potentially degrading application performance or causing outright denial of service through memory exhaustion. Maintainers have released ujson version 5.12.1 as a patch, upgrading from the vulnerable 5.12.0 release. Developers using affected versions are advised to upgrade immediately, especially in production environments where untrusted input or unreliable storage backends may increase the likelihood of write errors.

The disclosure follows standard coordinated vulnerability reporting practices, with the patch now available through standard Python package distribution channels. Organizations with automated dependency management via tools like Renovate should already have received or will shortly receive pull requests updating the affected library. Security teams should audit their dependency trees for ujson usage, assess exposure based on whether `ujson.dump()` is called against untrusted or high-throughput write targets, and prioritize patching in any externally facing or resource-constrained services.