CVE-2026-54502
Received Received - Intake

Stack-Based Buffer Overflow in Oj Ruby Gem

Vulnerability report for CVE-2026-54502, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process. This issue has been fixed in version 3.17.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54502 is a stack-based buffer overflow vulnerability in the Oj (Optimized JSON) Ruby gem, specifically in the Oj.dump method. This occurs when a developer provides a very large :indent value, such as INT_MAX (2,147,483,647). The function fill_indent in dump.h uses memset to fill a stack-allocated buffer with spaces based on the indent size without checking if the size is valid. Because the large indent value causes memset to write about 2 GB of data into a small buffer (4,184 bytes), it corrupts the stack and crashes the process.

This vulnerability affects all versions of the oj gem before version 3.17.2, where the issue has been fixed.

Impact Analysis

This vulnerability can cause the application using the Oj gem to crash due to stack corruption when processing JSON with a very large indent value. This can lead to denial of service (DoS) as the process terminates unexpectedly.

Since the issue is a buffer overflow that corrupts the stack, it might also pose a risk of more severe exploitation, but the advisory classifies the severity as low and primarily notes process crashes.

Detection Guidance

This vulnerability can be detected by testing if the Oj.dump method is called with an extremely large :indent value, specifically INT_MAX (2,147,483,647).

A practical way to detect the vulnerability is to attempt to reproduce the issue by running a Ruby script that calls Oj.dump with a very large indent value and observe if the process crashes due to a stack-based buffer overflow.

Example Ruby command to test for the vulnerability:

  • ruby -r oj -e "Oj.dump({key: 'value'}, indent: 2147483647)"

If the process crashes or exhibits abnormal behavior, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, avoid using extremely large indent values when calling Oj.dump.

Specifically, do not allow user input or developer code to set the :indent parameter to very large values such as INT_MAX.

The definitive fix is to upgrade the oj Ruby gem to version 3.17.2 or later, where this issue has been resolved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54502. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart