Skip to content

Commit d93f844

Browse files
simiRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@b157c43
1 parent 61b1878 commit d93f844

4 files changed

Lines changed: 141 additions & 0 deletions

File tree

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54900 (oj): Oj - Negative-Size memcpy in ''Oj::Parser'' create_id
4+
Attribute Handling'
5+
comments: false
6+
categories:
7+
- oj
8+
advisory:
9+
gem: oj
10+
cve: 2026-54900
11+
ghsa: 9cv6-qcjw-4grx
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
13+
title: Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling
14+
date: 2026-06-19
15+
description: |-
16+
### Summary
17+
18+
`Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable
19+
to heap corruption via a negative-size `memcpy`. When a JSON object key
20+
is exactly 65,535 bytes long, an integer truncation in `form_attr`
21+
(`usual.c:63`) converts the length to `-1` before passing it to `memcpy`.
22+
This causes `memcpy` to copy `SIZE_MAX` bytes (interpreted as a huge
23+
`size_t`), corrupting heap memory and crashing the process.
24+
cvss_v4: 8.7
25+
patched_versions:
26+
- ">= 3.17.3"
27+
related:
28+
url:
29+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
30+
- https://rubygems.org/gems/oj/versions/3.17.3
31+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+
- https://github.com/ohler55/oj/pull/1015
33+
- https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx
34+
- https://github.com/advisories/GHSA-9cv6-qcjw-4grx
35+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
36+
---
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54901 (oj): Oj- Use-After-Free in ''Oj::Parser'' array_class/hash_class
4+
GC Marking'
5+
comments: false
6+
categories:
7+
- oj
8+
advisory:
9+
gem: oj
10+
cve: 2026-54901
11+
ghsa: vwm4-62gf-x745
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
13+
title: Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking
14+
date: 2026-06-19
15+
description: |-
16+
### Summary
17+
18+
`Oj::Parser` in usual mode does not mark `array_class` and `hash_class`
19+
references during garbage collection. If GC runs after the class is
20+
assigned but before a parse, the class object is reclaimed, leaving
21+
the parser holding a dangling VALUE. The subsequent `parse` call
22+
dereferences the freed object, producing a segfault.
23+
cvss_v4: 8.7
24+
patched_versions:
25+
- ">= 3.17.3"
26+
related:
27+
url:
28+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
29+
- https://rubygems.org/gems/oj/versions/3.17.3
30+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
31+
- https://github.com/ohler55/oj/pull/1015
32+
- https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745
33+
- https://github.com/advisories/GHSA-vwm4-62gf-x745
34+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
35+
---
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54902 (oj): Oj - Use-After-Free in ''Oj::Parser'' SAJ Long Key Callback'
4+
comments: false
5+
categories:
6+
- oj
7+
advisory:
8+
gem: oj
9+
cve: 2026-54902
10+
ghsa: m578-w5vf-rfcm
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
12+
title: Oj - Use-After-Free in 'Oj::Parser' SAJ Long Key Callback
13+
date: 2026-06-19
14+
description: |-
15+
### Summary
16+
17+
`Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes)
18+
from garbage collection. A Ruby callback that triggers GC inside
19+
`hash_end` can cause the key string to be reclaimed while the C
20+
parser still holds a pointer to it. The subsequent access to the
21+
freed string VALUE results in a segfault, confirmed by an
22+
RIP pointing to address `0x4242` (a canary-style pattern suggesting
23+
control over the freed memory's content).
24+
cvss_v4: 8.7
25+
patched_versions:
26+
- ">= 3.17.3"
27+
related:
28+
url:
29+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
30+
- https://rubygems.org/gems/oj/versions/3.17.3
31+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
32+
- https://github.com/ohler55/oj/pull/1015
33+
- https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm
34+
- https://github.com/advisories/GHSA-m578-w5vf-rfcm
35+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
36+
---
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-54903 (oj): Oj - Integer Overflow in Oj.load 2GB String Handling'
4+
comments: false
5+
categories:
6+
- oj
7+
advisory:
8+
gem: oj
9+
cve: 2026-54903
10+
ghsa: 475m-ph3x-64gp
11+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
12+
title: Oj - Integer Overflow in Oj.load 2GB String Handling
13+
date: 2026-06-19
14+
description: |-
15+
### Summary
16+
17+
`Oj.load` is vulnerable to heap corruption when parsing a JSON string
18+
longer than 2 GB. An integer overflow in `buf_append_string`
19+
(`buf.h:61`) converts the string length to a large negative `size_t`,
20+
causing `memcpy` to copy an astronomically large amount of data out of
21+
bounds. This crashes the process and can corrupt adjacent heap memory.
22+
cvss_v4: 8.7
23+
patched_versions:
24+
- ">= 3.17.3"
25+
related:
26+
url:
27+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
28+
- https://rubygems.org/gems/oj/versions/3.17.3
29+
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
30+
- https://github.com/ohler55/oj/pull/1015
31+
- https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp
32+
- https://github.com/advisories/GHSA-475m-ph3x-64gp
33+
notes: "- CVE is reserved, but published so no cvss_v2 or cvss_v3 values.\n"
34+
---

0 commit comments

Comments
 (0)