How is CVE-2026-44660 exploited?

Network reachability (required): The attacker must be able to reach the application over a network to trigger write operations that produce the leak. Authentication (not-required): No credentials or account are needed to exploit this vulnerability; the attack is available to any network-accessible client. Victim interaction (not-required): No user action is required; the attacker interacts directly with the vulnerable service without any social-engineering step. Attack complexity (info): Exploit conditions are low-complexity and reliable, requiring no race conditions, special memory layout, or environmental prerequisites beyond the ability to trigger a failed write.

What is the impact of CVE-2026-44660?

Crashes or destabilizes the affected Python process by exhausting available memory through repeated leaked payloads. Causes denial of service for all users and workloads depending on the affected service, as memory exhaustion forces the process to fail or be killed. Does not expose stored data or allow modification of persisted records; confidentiality and data integrity are unaffected.

Back to search

HIGHCVE-2026-44660Published 2026-05-27Modified 2026-05-30CNA GitHub_M

CVE-2026-44660: UltraJSON: Memory Leak in ujson.dump() on Write Failure

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A memory leak vulnerability exists in UltraJSON's ujson.dump() function when writing to a file-like object. When a write operation raises an exception during serialization, the internal reference count for the serialized JSON string object is never decremented, causing the full payload size to leak for every failed write. An unauthenticated attacker able to reach the application over a network and trigger repeated write failures can exhaust process memory, leading to denial of service. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using feeds from upstream sources including GitHub Advisory Database. Matching runs against all images in customer registries and CI pipelines, including custom-built images that bundle ultrajson directly.

Available

Triage

HarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and weighs that score against each environment's configured compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment ultrajson 5.12.1 or a successor fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once the upstream patch is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the application over a network to trigger write operations that produce the leak.
AuthenticationNot required
No credentials or account are needed to exploit this vulnerability; the attack is available to any network-accessible client.
Victim interactionNot required
No user action is required; the attacker interacts directly with the vulnerable service without any social-engineering step.
Attack complexityDetail
Exploit conditions are low-complexity and reliable, requiring no race conditions, special memory layout, or environmental prerequisites beyond the ability to trigger a failed write.

Blast Radius

Crashes or destabilizes the affected Python process by exhausting available memory through repeated leaked payloads.
Causes denial of service for all users and workloads depending on the affected service, as memory exhaustion forces the process to fail or be killed.
Does not expose stored data or allow modification of persisted records; confidentiality and data integrity are unaffected.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all customer environments and will flag any image containing an affected version of ultrajson the moment it appears in a registry or pipeline scan. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when ultrajson 5.12.1 is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression run and a PR opened against affected workloads. While awaiting the upstream fix, compensating controls worth evaluating include network-policy rules that restrict which clients can trigger file-write code paths, resource limits (such as container memory ceilings) to bound the impact of a leak, and application-level error handling that surfaces write failures quickly to reduce the volume of leaked allocations per attack cycle. Where compliance policy permits, HarborGuard can apply these findings to prioritized alerting queues to ensure the affected images are upgraded promptly once the fix is available.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

ultrajson / ultrajson
< 5.12.1

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References