File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54896 (oj): Oj - Heap Buffer Overflow in Oj.dump Exception Serialization
4+ via Large Indent'
5+ comments : false
6+ categories :
7+ - oj
8+ advisory :
9+ gem : oj
10+ cve : 2026-54896
11+ ghsa : 35w3-pjm6-wj95
12+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54896
13+ title : Oj - Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
14+ date : 2026-06-19
15+ description : |-
16+ ### Summary
17+
18+ `Oj.dump` in object mode is vulnerable to a heap buffer overflow when
19+ serializing Exception objects with a large `:indent` value. The
20+ serializer allocates a buffer sized for the object's attributes but
21+ does not account for the indent bytes added on each write. With
22+ `indent: 5000`, the accumulation of 5,000-byte indent strings overflows
23+ the 13,150-byte heap allocation, corrupting adjacent heap memory.
24+ cvss_v4 : 8.7
25+ patched_versions :
26+ - " >= 3.17.3"
27+ related :
28+ url :
29+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54896
30+ - https://rubygems.org/gems/oj/versions/3.17.3
31+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+ - https://github.com/ohler55/oj/pull/1015
33+ - https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95
34+ - https://github.com/advisories/GHSA-35w3-pjm6-wj95
35+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
36+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54897 (oj): Oj - Use-After-Free in Oj::Doc Iterators via Reentrant
4+ Close'
5+ comments : false
6+ categories :
7+ - oj
8+ advisory :
9+ gem : oj
10+ cve : 2026-54897
11+ ghsa : 9ppp-w3g4-fh4q
12+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54897
13+ title : Oj - Use-After-Free in Oj::Doc Iterators via Reentrant Close
14+ date : 2026-06-19
15+ description : |-
16+ ### Summary
17+
18+ `Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) are
19+ vulnerable to a heap use-after-free. When a Ruby block yielded during
20+ iteration calls `doc.close` or `d.close`, the document's heap memory
21+ is freed while the C iterator is still running. When control returns
22+ from the block, the iterator reads from the freed region, producing
23+ a use-after-free accessible from pure Ruby.
24+ cvss_v4 : 8.7
25+ patched_versions :
26+ - " >= 3.17.3"
27+ related :
28+ url :
29+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54897
30+ - https://rubygems.org/gems/oj/versions/3.17.3
31+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+ - https://github.com/ohler55/oj/pull/1015
33+ - https://github.com/ohler55/oj/security/advisories/GHSA-9ppp-w3g4-fh4q
34+ - https://github.com/advisories/GHSA-9ppp-w3g4-fh4q
35+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
36+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54898 (oj): Oj - Use-After-Free in Oj::Parser SAJ Callback via Input
4+ Mutation'
5+ comments : false
6+ categories :
7+ - oj
8+ advisory :
9+ gem : oj
10+ cve : 2026-54898
11+ ghsa : q2gm-54r6-8fwm
12+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54898
13+ title : Oj - Use-After-Free in Oj::Parser SAJ Callback via Input Mutation
14+ date : 2026-06-19
15+ description : |-
16+ ### Summary
17+
18+ `Oj::Parser#parse` is vulnerable to a heap use-after-free when a
19+ SAJ/SAJ2 callback mutates the input JSON string during parsing.
20+ The C engine holds a raw `const byte *` pointer into the Ruby string's
21+ internal buffer. If a callback (e.g. `hash_start`) resizes the
22+ string — for example by calling `String#replace` with a longer
23+ value — Ruby reallocates the string buffer and frees the old one. The
24+ C parser's pointer is left dangling; the next character read
25+ at `parser.c:607` is a use-after-free.
26+ cvss_v4 : 8.7
27+ patched_versions :
28+ - " >= 3.17.3"
29+ related :
30+ url :
31+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54898
32+ - https://rubygems.org/gems/oj/versions/3.17.3
33+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
34+ - https://github.com/ohler55/oj/pull/1015
35+ - https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm
36+ - https://github.com/advisories/GHSA-q2gm-54r6-8fwm
37+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
38+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54899 (oj): Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle'
4+ comments : false
5+ categories :
6+ - oj
7+ advisory :
8+ gem : oj
9+ cve : 2026-54899
10+ ghsa : 2cw7-v8ff-p88r
11+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54899
12+ title : Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle
13+ date : 2026-06-19
14+ description : |-
15+ ### Summary
16+
17+ Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a
18+ heap use-after-free. When `symbol_keys` is toggled from `true` to
19+ `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`)
20+ but does not clear the pointer. The next `parse` call reads from
21+ the freed cache via `cache_intern`, producing a use-after-free.
22+ cvss_v4 : 8.7
23+ patched_versions :
24+ - " >= 3.17.3"
25+ related :
26+ url :
27+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54899
28+ - https://rubygems.org/gems/oj/versions/3.17.3
29+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
30+ - https://github.com/ohler55/oj/pull/1015
31+ - https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r
32+ - https://github.com/advisories/GHSA-2cw7-v8ff-p88r
33+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
34+ ---
You can’t perform that action at this time.
0 commit comments