Skip to content

Commit b6ea057

Browse files
simiRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@aac0866
1 parent f7ab139 commit b6ea057

4 files changed

Lines changed: 144 additions & 0 deletions

File tree

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54896 (oj): Oj - Heap Buffer Overflow in Oj.dump Exception Serialization
4+
via Large Indent'
5+
comments: false
6+
categories:
7+
- oj
8+
advisory:
9+
gem: oj
10+
cve: 2026-54896
11+
ghsa: 35w3-pjm6-wj95
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54896
13+
title: Oj - Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
14+
date: 2026-06-19
15+
description: |-
16+
### Summary
17+
18+
`Oj.dump` in object mode is vulnerable to a heap buffer overflow when
19+
serializing Exception objects with a large `:indent` value. The
20+
serializer allocates a buffer sized for the object's attributes but
21+
does not account for the indent bytes added on each write. With
22+
`indent: 5000`, the accumulation of 5,000-byte indent strings overflows
23+
the 13,150-byte heap allocation, corrupting adjacent heap memory.
24+
cvss_v4: 8.7
25+
patched_versions:
26+
- ">= 3.17.3"
27+
related:
28+
url:
29+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54896
30+
- https://rubygems.org/gems/oj/versions/3.17.3
31+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+
- https://github.com/ohler55/oj/pull/1015
33+
- https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95
34+
- https://github.com/advisories/GHSA-35w3-pjm6-wj95
35+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
36+
---
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54897 (oj): Oj - Use-After-Free in Oj::Doc Iterators via Reentrant
4+
Close'
5+
comments: false
6+
categories:
7+
- oj
8+
advisory:
9+
gem: oj
10+
cve: 2026-54897
11+
ghsa: 9ppp-w3g4-fh4q
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54897
13+
title: Oj - Use-After-Free in Oj::Doc Iterators via Reentrant Close
14+
date: 2026-06-19
15+
description: |-
16+
### Summary
17+
18+
`Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) are
19+
vulnerable to a heap use-after-free. When a Ruby block yielded during
20+
iteration calls `doc.close` or `d.close`, the document's heap memory
21+
is freed while the C iterator is still running. When control returns
22+
from the block, the iterator reads from the freed region, producing
23+
a use-after-free accessible from pure Ruby.
24+
cvss_v4: 8.7
25+
patched_versions:
26+
- ">= 3.17.3"
27+
related:
28+
url:
29+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54897
30+
- https://rubygems.org/gems/oj/versions/3.17.3
31+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+
- https://github.com/ohler55/oj/pull/1015
33+
- https://github.com/ohler55/oj/security/advisories/GHSA-9ppp-w3g4-fh4q
34+
- https://github.com/advisories/GHSA-9ppp-w3g4-fh4q
35+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
36+
---
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54898 (oj): Oj - Use-After-Free in Oj::Parser SAJ Callback via Input
4+
Mutation'
5+
comments: false
6+
categories:
7+
- oj
8+
advisory:
9+
gem: oj
10+
cve: 2026-54898
11+
ghsa: q2gm-54r6-8fwm
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54898
13+
title: Oj - Use-After-Free in Oj::Parser SAJ Callback via Input Mutation
14+
date: 2026-06-19
15+
description: |-
16+
### Summary
17+
18+
`Oj::Parser#parse` is vulnerable to a heap use-after-free when a
19+
SAJ/SAJ2 callback mutates the input JSON string during parsing.
20+
The C engine holds a raw `const byte *` pointer into the Ruby string's
21+
internal buffer. If a callback (e.g. `hash_start`) resizes the
22+
string — for example by calling `String#replace` with a longer
23+
value — Ruby reallocates the string buffer and frees the old one. The
24+
C parser's pointer is left dangling; the next character read
25+
at `parser.c:607` is a use-after-free.
26+
cvss_v4: 8.7
27+
patched_versions:
28+
- ">= 3.17.3"
29+
related:
30+
url:
31+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54898
32+
- https://rubygems.org/gems/oj/versions/3.17.3
33+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
34+
- https://github.com/ohler55/oj/pull/1015
35+
- https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm
36+
- https://github.com/advisories/GHSA-q2gm-54r6-8fwm
37+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
38+
---
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54899 (oj): Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle'
4+
comments: false
5+
categories:
6+
- oj
7+
advisory:
8+
gem: oj
9+
cve: 2026-54899
10+
ghsa: 2cw7-v8ff-p88r
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54899
12+
title: Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle
13+
date: 2026-06-19
14+
description: |-
15+
### Summary
16+
17+
Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a
18+
heap use-after-free. When `symbol_keys` is toggled from `true` to
19+
`false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`)
20+
but does not clear the pointer. The next `parse` call reads from
21+
the freed cache via `cache_intern`, producing a use-after-free.
22+
cvss_v4: 8.7
23+
patched_versions:
24+
- ">= 3.17.3"
25+
related:
26+
url:
27+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54899
28+
- https://rubygems.org/gems/oj/versions/3.17.3
29+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
30+
- https://github.com/ohler55/oj/pull/1015
31+
- https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r
32+
- https://github.com/advisories/GHSA-2cw7-v8ff-p88r
33+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
34+
---

0 commit comments

Comments
 (0)