CVE-2026-54901
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
A Use-After-Free vulnerability was found in the Oj (Optimized JSON) library for Ruby in normal parser mode. The issue occurs when the garbage collector reclaims array_class and hash_class objects before they are used, leading to dereferencing freed memory and a segfault.
Risk Assessment
An attacker can cause application crashes (segfault) by triggering garbage collection at the right moment, resulting in denial of service (DoS).
Recommendation
Immediately update the Oj gem to version 3.17.2 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj::Parser in usual mode does not mark array_class and hash_class references during garbage collection, leading to Use-After-Free. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed object, producing a segfault. This issue has been fixed in version 3.17.2.

