CVE Catalog

CVE-2026-54898

LowCVSS 2.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

A heap use-after-free vulnerability exists in the C engine of the Oj (Optimized JSON) Ruby gem prior to version 3.17.2. The issue occurs when a SAJ/SAJ2 callback mutates the input JSON string during parsing, causing the internal buffer to be reallocated and leaving a dangling pointer.

Risk Assessment

An attacker could exploit this vulnerability to achieve remote code execution or cause application crashes, compromising system confidentiality, integrity, or availability.

Recommendation

Upgrade the Oj gem to version 3.17.2 or later immediately, which contains the fix for this vulnerability.

Original NVD description (English source)

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS