CVE-2026-54592
Received Received - Intake

Stack Buffer Overflow in Oj Ruby Gem

Vulnerability report for CVE-2026-54592, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.3, Oj::Doc#each_child, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process, leading to DoS. In a two-step chain in ext/oj/fast.c, doc_each_child increments doc->where past the where_path[MAX_STACK = 100] array with no bounds check and never restores it (the doc->where-- is missing), so calling each_child recursively from inside the yield block drives doc->where beyond the array. On the next entry the function copies the path into the 800-byte stack-local buffer save_path[MAX_STACK] using wlen = doc->where - doc->where_path, so when the previous recursive call left doc->where past where_path[100] the wlen exceeds MAX_STACK and the memcpy overflows save_path on the C stack; because the Oj::Doc parser imposes no JSON nesting-depth limit (relying on a C-stack pressure check), deeply nested attacker input reaches this path. This issue has been fixed in version 3.17.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54592 is a stack buffer overflow vulnerability in the Oj::Doc#each_child method of the oj RubyGem library, affecting versions prior to 3.17.3.

The issue occurs when processing deeply nested JSON input, causing recursive calls that overflow a fixed-size stack buffer (where_path[MAX_STACK = 100]) without proper bounds checking.

Specifically, the doc->where pointer is incremented beyond the array bounds and not restored properly, leading to a memcpy operation that overflows a stack-local buffer (save_path), corrupting the stack and causing the process to abort.

This vulnerability can be triggered by a small, deeply nested JSON payload (e.g., 101 levels of nesting).

The issue has been fixed in version 3.17.3 by adding bounds checking and restoring doc->where correctly.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by causing the Oj::Doc parser process to abort unexpectedly.

An attacker can exploit this by sending a deeply nested JSON payload that triggers the stack buffer overflow, crashing the application using the vulnerable oj RubyGem.

The impact is primarily on availability, as the process termination disrupts normal service operation.

Detection Guidance

This vulnerability can be detected by identifying if your system is running a vulnerable version of the Oj RubyGem library prior to version 3.17.3.

Detection can also involve monitoring for crashes or process terminations of applications using Oj when processing deeply nested JSON inputs, as the vulnerability causes a denial of service via stack buffer overflow.

You can check the installed version of the Oj gem with the following command:

  • gem list oj

To test if the vulnerability can be triggered, you might attempt to process a JSON payload with more than 100 levels of nesting using the Oj::Doc#each_child method, but this should be done carefully in a controlled environment to avoid service disruption.

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the Oj RubyGem library to version 3.17.3 or later, where the vulnerability has been fixed by adding bounds checking and proper restoration of internal pointers.

If upgrading is not immediately possible, consider limiting or sanitizing JSON input to prevent deeply nested structures exceeding 100 levels, thereby avoiding triggering the stack buffer overflow.

Additionally, monitor application logs and system behavior for signs of crashes or denial of service related to JSON parsing.

Compliance Impact

This vulnerability causes a denial of service (DoS) by crashing the process when handling deeply nested JSON input. While it impacts system availability, there is no indication from the provided information that it leads to unauthorized access, data leakage, or integrity violations.

Therefore, the vulnerability primarily affects availability aspects of compliance but does not directly compromise confidentiality or integrity requirements typically emphasized in standards like GDPR or HIPAA.

Organizations relying on Oj for JSON parsing should consider the availability impact in their risk assessments and ensure they apply the fixed version (3.17.3) to maintain compliance with availability requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart