2482406 – (CVE-2026-44660) CVE-2026-44660 python-ujson: UltraJSON: Memory leak leading to Denial of Service

Bug 2482406 (CVE-2026-44660) - CVE-2026-44660 python-ujson: UltraJSON: Memory leak leading to Denial of Service

Summary: CVE-2026-44660 python-ujson: UltraJSON: Memory leak leading to Denial of Service

Keywords:
Status:	NEW
Alias:	CVE-2026-44660
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2486951 2486952 2486949 2486950
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-27 21:02 UTC by OSIDB Bzimport
Modified:	2026-06-09 10:14 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-27 21:02:09 UTC

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.

Note You need to log in before you can comment on or make changes to this bug.

anthomas
aprice
bbrownin
eglynn
ehelms
ggainey
jjoyce
jkoehler
jpretori
jsamir
jschluet
juwatts
jwong
kshier
lhh
lphiri
mburns
mgarciac
mhulan
nmoumoul
oezr
omaciel
osousa
pcreech
rchan
rjohnson
smallamp
stcannon
teagle
tmalecek
ttakamiy