diff --git a/gems/json/CVE-2026-54696.yml b/gems/json/CVE-2026-54696.yml new file mode 100644 index 0000000000..e7c11a90c6 --- /dev/null +++ b/gems/json/CVE-2026-54696.yml @@ -0,0 +1,36 @@ +--- +gem: json +cve: 2026-54696 +ghsa: x2f5-4prf-w687 +url: https://nvd.nist.gov/vuln/detail/CVE-2026-54696 +title: JSON generator heap buffer overflow when streaming to an IO +date: 2026-06-30 +description: | + Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through + 2.19.8 are vulnerable to heap buffer overflow when the JSON generator + is provided with an oversized streamed object. + + When streaming to an IO JSON.dump(obj, io) and JSON::State#generate(obj, io) + can write past the internal JSON generator buffer when a streamed + object contains an attacker-controlled string near 16 KB. Exploitation + would result in a reliable process crash/denial of service. + + This was triaged on HackerOne as report #3785370. + The issue was confirmed there and I was asked to open it here. + + This issue has been fixed in version 2.19.9. +cvss_v3: 3.7 +unaffected_versions: + - "< 2.9.0" +patched_versions: + - ">= 2.19.9" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-54696 + - https://rubygems.org/gems/json/versions/2.19.9 + - https://github.com/ruby/json/releases/tag/v2.19.9 + - https://github.com/ruby/json/blob/master/CHANGES.md#2026-06-11-2199 + - https://hackerone.com/reports/3785370 + - https://github.com/ruby/json/security/advisories/GHSA-x2f5-4prf-w687 +notes: | + - Got 2.19.9 and date from nvd.nist.gov web site.