CVE-2026-54896
Received Received - Intake

Heap Buffer Overflow in Oj Ruby Gem

Vulnerability report for CVE-2026-54896, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54896 is a vulnerability in the Ruby gem 'oj' (Optimized JSON) versions prior to 3.17.2. It occurs when the Oj.dump method serializes Exception objects in object mode with a very large indent value.

The problem arises because the serializer allocates a buffer sized only for the object's attributes but does not account for the additional bytes added by indentation on each write. For example, with an indent value of 5000, the repeated addition of 5000-byte indent strings causes the buffer to overflow its allocated size of 13,150 bytes, leading to a heap buffer overflow.

This overflow corrupts adjacent heap memory, which can cause unexpected behavior or crashes. The issue has been fixed in version 3.17.2.

Impact Analysis

This vulnerability can lead to heap memory corruption when serializing Exception objects with large indent values using the Oj.dump method. Such memory corruption may cause application crashes or unpredictable behavior.

Because the severity is classified as low, the direct impact might be limited, but it could potentially be exploited to destabilize an application or cause denial of service if an attacker can control the input and the indent value.

Detection Guidance

This vulnerability occurs when the Oj.dump method serializes Exception objects with a very large :indent value, causing a heap buffer overflow. Detection involves identifying usage of the vulnerable Oj gem versions prior to 3.17.2 and monitoring for serialization of Exception objects with excessive indentation.

To detect this on your system, you can check the installed version of the Oj gem and audit your Ruby code for calls to Oj.dump with large indent values, especially when serializing Exception objects.

Suggested commands include:

  • Check the installed Oj gem version: `gem list oj` or `bundle list | grep oj`
  • Search your codebase for Oj.dump usage with indent option: `grep -r "Oj.dump" ./ | grep indent`
  • Use AddressSanitizer (ASAN) or similar memory error detection tools when running tests to detect heap buffer overflows related to Oj.dump serialization.
Mitigation Strategies

The primary mitigation is to upgrade the Oj gem to version 3.17.2 or later, where this heap buffer overflow issue has been fixed.

Additionally, avoid using extremely large indent values when calling Oj.dump, especially when serializing Exception objects.

Developers should ensure that user input does not control the indent size to prevent triggering this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart