CVE-2026-54903
Received Received - Intake

Heap Corruption in Oj Ruby Gem via Large JSON Parsing

Vulnerability report for CVE-2026-54903, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ohler55 oj to 3.17.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54903 is a vulnerability in the Ruby gem 'oj' (Optimized JSON) versions prior to 3.17.2. It occurs when the Oj.load function parses a JSON string longer than 2 GB. An integer overflow happens in the buf_append_string function, causing the string length to wrap to a large negative value. This negative value is then used by memcpy to copy an extremely large amount of data out of bounds, leading to heap corruption and process crashes.

The root cause is that the string length is calculated as a 32-bit integer, which overflows when the string exceeds 2 GB. This vulnerability was confirmed in version 3.17.1 and fixed in version 3.17.2.

Impact Analysis

This vulnerability can cause the application using the vulnerable 'oj' gem to crash due to heap corruption when parsing specially crafted large JSON strings. The heap corruption may also lead to memory corruption of adjacent data, potentially causing unpredictable behavior or denial of service.

Detection Guidance

This vulnerability can be detected by checking the version of the Ruby gem 'oj' installed on your system. Versions prior to 3.17.2 are vulnerable.

Additionally, detection can involve attempting to parse a JSON string longer than 2 GB using Oj.load and observing if the process crashes or exhibits heap corruption.

A practical command to check the installed version of the oj gem is:

  • gem list oj

To test for the vulnerability, one could create a large JSON string (over 2 GB) and attempt to load it with Oj.load in a Ruby script, monitoring for crashes or errors.

Mitigation Strategies

The immediate mitigation step is to upgrade the oj gem to version 3.17.2 or later, where this vulnerability has been fixed.

Avoid parsing JSON strings larger than 2 GB with vulnerable versions of Oj to prevent triggering the integer overflow and heap corruption.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54903. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart