UltraJSON Memory Leak Vulnerability Forces Emergency Patch in ujson 5.12.1 — CVE-2026-44660

A critical memory leak vulnerability has been identified in UltraJSON (ujson) version 5.12.0, prompting the release of security patch v5.12.1. Tracked as CVE-2026-44660 and documented in GitHub Advisory GHSA-c38f-wx89-p2xg, the flaw manifests when ujson.dump() writes to a file-like object and the write operation raises an exception. Under these conditions, the serialized JSON string object fails to be properly decremented, causing memory equivalent to the full serialized payload size to leak with each failed write operation.

The vulnerability affects any application that uses ujson for JSON serialization where write failures are possible — including network streams, pipes, or file I/O operations subject to interruption. Each exception-triggering write compounds the leak, creating a potential denial-of-service vector for long-running services processing high volumes of JSON data. The issue is particularly relevant for projects depending on ujson for performance-critical serialization, where the library's speed advantages could be undermined by repeated memory exhaustion.

Developers using ujson are advised to upgrade to v5.12.1 immediately. Organizations should audit dependencies for ujson v5.12.0 and assess exposure based on whether their implementations interact with file-like objects or network endpoints where write failures can occur. The patch addresses the underlying memory management flaw in the serialization path, eliminating the leak scenario entirely. Maintainers of downstream projects that pin ujson versions should update their dependency constraints to ensure the patched release is deployed across all affected environments.