CVE-2026-54898
Received Received - Intake

Heap Use-After-Free in Oj JSON Parser

Vulnerability report for CVE-2026-54898, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string β€” for example by calling String#replace with a longer value β€” Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ohler55 oj to 3.17.2 (exc)
ohler55 oj 3.17.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54898 is a use-after-free vulnerability in the Oj Ruby gem, specifically in the Oj::Parser#parse method for versions prior to 3.17.2.

The vulnerability occurs when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw pointer to the Ruby string's internal buffer. If a callback resizes the string (for example, by calling String#replace with a longer value), Ruby reallocates the string buffer and frees the old one.

This causes the C parser's pointer to become dangling, leading to a use-after-free error when the parser tries to read from the freed memory.

This issue was fixed in version 3.17.2 of the Oj gem.

Impact Analysis

This vulnerability can lead to a heap use-after-free error during JSON parsing when using the Oj gem with SAJ/SAJ2 callbacks that modify the input string.

Such a use-after-free condition could potentially cause application crashes or undefined behavior, which might be exploited to affect the stability or security of the application using the vulnerable Oj version.

However, the severity rating of this vulnerability is considered Low.

Detection Guidance

This vulnerability occurs in the Oj Ruby gem versions prior to 3.17.2 when using SAJ/SAJ2 callbacks that mutate the input JSON string during parsing. Detection involves identifying if your system is running a vulnerable version of the Oj gem and if your application uses SAJ/SAJ2 callbacks that modify JSON input strings.

To detect the vulnerable version of the Oj gem installed, you can run the following command in your Ruby environment:

  • gem list oj

If the version is prior to 3.17.2, your system is potentially vulnerable.

To check if your application uses SAJ/SAJ2 callbacks that mutate JSON strings, you would need to review your code for usage of Oj::Parser#parse with such callbacks.

There are no specific network detection commands or signatures mentioned for this vulnerability, as it is triggered by specific Ruby code behavior rather than network traffic.

Mitigation Strategies

The primary mitigation step is to upgrade the Oj gem to version 3.17.2 or later, where this use-after-free vulnerability has been fixed.

If upgrading immediately is not possible, avoid using SAJ/SAJ2 callbacks that mutate the input JSON string during parsing, as this triggers the vulnerability.

Review your code to ensure that callbacks like hash_start do not resize or replace the input JSON string during parsing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart