File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54900 (oj): Oj - Negative-Size memcpy in '' Oj::Parser'' create_id
4+ Attribute Handling'
5+ comments : false
6+ categories :
7+ - oj
8+ advisory :
9+ gem : oj
10+ cve : 2026-54900
11+ ghsa : 9cv6-qcjw-4grx
12+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
13+ title : Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling
14+ date : 2026-06-19
15+ description : |-
16+ ### Summary
17+
18+ `Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable
19+ to heap corruption via a negative-size `memcpy`. When a JSON object key
20+ is exactly 65,535 bytes long, an integer truncation in `form_attr`
21+ (`usual.c:63`) converts the length to `-1` before passing it to `memcpy`.
22+ This causes `memcpy` to copy `SIZE_MAX` bytes (interpreted as a huge
23+ `size_t`), corrupting heap memory and crashing the process.
24+ cvss_v4 : 8.7
25+ patched_versions :
26+ - " >= 3.17.3"
27+ related :
28+ url :
29+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
30+ - https://rubygems.org/gems/oj/versions/3.17.3
31+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+ - https://github.com/ohler55/oj/pull/1015
33+ - https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx
34+ - https://github.com/advisories/GHSA-9cv6-qcjw-4grx
35+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
36+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54901 (oj): Oj- Use-After-Free in '' Oj::Parser'' array_class/hash_class
4+ GC Marking'
5+ comments : false
6+ categories :
7+ - oj
8+ advisory :
9+ gem : oj
10+ cve : 2026-54901
11+ ghsa : vwm4-62gf-x745
12+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
13+ title : Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking
14+ date : 2026-06-19
15+ description : |-
16+ ### Summary
17+
18+ `Oj::Parser` in usual mode does not mark `array_class` and `hash_class`
19+ references during garbage collection. If GC runs after the class is
20+ assigned but before a parse, the class object is reclaimed, leaving
21+ the parser holding a dangling VALUE. The subsequent `parse` call
22+ dereferences the freed object, producing a segfault.
23+ cvss_v4 : 8.7
24+ patched_versions :
25+ - " >= 3.17.3"
26+ related :
27+ url :
28+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
29+ - https://rubygems.org/gems/oj/versions/3.17.3
30+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
31+ - https://github.com/ohler55/oj/pull/1015
32+ - https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745
33+ - https://github.com/advisories/GHSA-vwm4-62gf-x745
34+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
35+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54902 (oj): Oj - Use-After-Free in '' Oj::Parser'' SAJ Long Key Callback'
4+ comments : false
5+ categories :
6+ - oj
7+ advisory :
8+ gem : oj
9+ cve : 2026-54902
10+ ghsa : m578-w5vf-rfcm
11+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
12+ title : Oj - Use-After-Free in 'Oj::Parser' SAJ Long Key Callback
13+ date : 2026-06-19
14+ description : |-
15+ ### Summary
16+
17+ `Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes)
18+ from garbage collection. A Ruby callback that triggers GC inside
19+ `hash_end` can cause the key string to be reclaimed while the C
20+ parser still holds a pointer to it. The subsequent access to the
21+ freed string VALUE results in a segfault, confirmed by an
22+ RIP pointing to address `0x4242` (a canary-style pattern suggesting
23+ control over the freed memory's content).
24+ cvss_v4 : 8.7
25+ patched_versions :
26+ - " >= 3.17.3"
27+ related :
28+ url :
29+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
30+ - https://rubygems.org/gems/oj/versions/3.17.3
31+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+ - https://github.com/ohler55/oj/pull/1015
33+ - https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm
34+ - https://github.com/advisories/GHSA-m578-w5vf-rfcm
35+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
36+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-54903 (oj): Oj - Integer Overflow in Oj.load 2GB String Handling'
4+ comments : false
5+ categories :
6+ - oj
7+ advisory :
8+ gem : oj
9+ cve : 2026-54903
10+ ghsa : 475m-ph3x-64gp
11+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
12+ title : Oj - Integer Overflow in Oj.load 2GB String Handling
13+ date : 2026-06-19
14+ description : |-
15+ ### Summary
16+
17+ `Oj.load` is vulnerable to heap corruption when parsing a JSON string
18+ longer than 2 GB. An integer overflow in `buf_append_string`
19+ (`buf.h:61`) converts the string length to a large negative `size_t`,
20+ causing `memcpy` to copy an astronomically large amount of data out of
21+ bounds. This crashes the process and can corrupt adjacent heap memory.
22+ cvss_v4 : 8.7
23+ patched_versions :
24+ - " >= 3.17.3"
25+ related :
26+ url :
27+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
28+ - https://rubygems.org/gems/oj/versions/3.17.3
29+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
30+ - https://github.com/ohler55/oj/pull/1015
31+ - https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp
32+ - https://github.com/advisories/GHSA-475m-ph3x-64gp
33+ notes : " - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n "
34+ ---
You can’t perform that action at this time.
0 commit comments