CVE-2026-54500
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-54500, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj.load in :object mode reads uninitialized stack memory (and, for long keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. In ext/oj/intern.c, form_attr() handles the long-key path by allocating a heap buffer, `b`, populating it with the attribute name, and then freeing it β€” but it passed the uninitialized stack buffer buf (not b) to rb_intern3(). rb_intern3 therefore reads len + 1 bytes of uninitialized stack memory. When the key length is >= 256, it also reads out of bounds past the 256-byte buf. The resulting bytes are interned and can reach the caller via the produced Symbol or via the EncodingError message raised on invalid UTF-8, leaking process stack contents. This issue has been fixed in version 3.17.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-908 The product uses or accesses a resource that has not been initialized.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54500 is a vulnerability in the Oj Ruby gem, which is a JSON parser and object marshaller. In versions before 3.17.3, when parsing JSON objects in :object mode with keys that are 254 bytes or longer, the code reads uninitialized stack memory and, for keys 256 bytes or longer, reads out of bounds memory. This happens because the function form_attr in the source code mistakenly passes an uninitialized stack buffer to the rb_intern3 function instead of a properly allocated heap buffer. As a result, up to 1500 bytes of uninitialized stack memory can be leaked to the caller either through the resulting Symbol or an EncodingError message.

This vulnerability can disclose sensitive process stack memory contents unintentionally. It was fixed in version 3.17.3 by correcting the buffer passed to rb_intern3.

Impact Analysis

This vulnerability can lead to the unintended disclosure of process stack memory contents, which may include sensitive or confidential information. An attacker able to supply JSON input with long keys in :object mode could exploit this to read uninitialized memory, potentially gaining access to data that should remain private.

However, the vulnerability requires the use of :object mode, which is discouraged for untrusted input, and the leaked data is uncontrolled, which somewhat limits the impact. The CVSS score is medium (5.3), reflecting these mitigating factors.

Detection Guidance

This vulnerability occurs when the Oj gem (versions prior to 3.17.3) parses JSON objects in :object mode with keys 254 bytes or longer, leading to uninitialized stack memory reads. Detection involves identifying usage of vulnerable Oj versions and JSON parsing in :object mode with long keys.

You can detect the presence of the vulnerable Oj gem version by checking the installed gem version on your system.

  • Run `gem list oj` to see the installed Oj gem version.
  • If the version is below 3.17.3, your system is vulnerable.

To detect exploitation attempts or presence of suspicious behavior, monitor logs or application behavior for EncodingError messages related to invalid UTF-8 during JSON parsing or unexpected Symbol creation from long keys.

Mitigation Strategies

The primary mitigation is to upgrade the Oj gem to version 3.17.3 or later, where the vulnerability is fixed by correctly passing the heap buffer to rb_intern3.

Additionally, avoid using :object mode for parsing untrusted JSON input, as it is already discouraged and is a requirement for triggering this vulnerability.

If upgrading immediately is not possible, consider sanitizing or limiting JSON keys to less than 254 bytes before parsing with Oj in :object mode.

Compliance Impact

CVE-2026-54500 causes leakage of uninitialized stack memory when parsing JSON objects with long keys in Oj gem versions prior to 3.17.3. This leakage can expose process stack contents to the caller, potentially disclosing sensitive information.

Such unintended disclosure of memory contents could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized data exposure.

However, the vulnerability requires use of the :object mode, which is already discouraged for untrusted input, and the leaked data is uncontrolled and indirect. The severity is rated medium (CVSS 5.3), indicating some mitigating factors.

Organizations using vulnerable versions of Oj in contexts subject to GDPR, HIPAA, or similar regulations should consider this vulnerability as a potential risk for data leakage and take appropriate remediation steps, such as upgrading to version 3.17.3.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart