CVE-2026-54901
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-54901, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection, leading to Use-After-Free. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed object, producing a segfault. This issue has been fixed in version 3.17.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54901 is a Use-After-Free vulnerability in the Oj::Parser component of the oj Ruby gem, affecting versions prior to 3.17.2.

The issue arises because the parser does not properly mark certain class references (array_class and hash_class) during garbage collection. If garbage collection runs after these classes are assigned but before parsing starts, the class objects can be freed.

As a result, the parser holds a dangling reference to freed memory. When it later tries to use this reference during parsing, it dereferences invalid memory, causing a segmentation fault (crash).

This vulnerability was fixed in version 3.17.2 of the oj gem.

Impact Analysis

This vulnerability can cause your application to crash due to a segmentation fault when parsing JSON using the vulnerable oj gem versions.

Such crashes can lead to denial of service, potentially disrupting application availability.

Since the issue involves memory corruption, it might also be exploitable to cause unexpected behavior, although the primary confirmed impact is a crash.

Detection Guidance

This vulnerability manifests as a segmentation fault (crash) in applications using the Oj gem versions prior to 3.17.2 when parsing JSON due to a Use-After-Free error in the parser's garbage collection process.

Detection can involve monitoring for unexpected crashes or segmentation faults in Ruby applications that use the Oj gem, especially during JSON parsing operations.

Since the issue is triggered internally by the garbage collector and parser, there are no specific network commands to detect it remotely.

On the system, you can check the installed version of the oj gem with the following command to identify if the vulnerable version is present:

  • gem list oj

If the version is prior to 3.17.2, the system is vulnerable.

Additionally, monitoring application logs for segmentation faults or core dumps related to Ruby processes using Oj may help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade the oj gem to version 3.17.2 or later, where the Use-After-Free issue has been fixed.

If upgrading immediately is not possible, consider applying any available patches or workarounds provided by the maintainers.

Additionally, monitor your applications for crashes and avoid running untrusted JSON parsing operations with vulnerable versions.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54901. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart