Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap use‑after‑free in Oj’s Doc iterators. When a Ruby block yields during iteration and calls doc.close or d.close, the iterator’s C code continues to run after the document’s memory has been freed. The freed memory is then accessed by the iterator, exposing a use‑after‑free that can be triggered from pure Ruby code. The flaw could cause a program crash or, depending on the memory contents, could allow an attacker to execute arbitrary code within the Ruby process.

Affected Systems

Vendor: ohler55. Product: the Oj Ruby gem. Versions older than 3.17.2 are affected. Applications that load JSON with the affected gem and iterate over it with each_value, each_child or each_leaf are vulnerable.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires the attacker to supply Ruby code that invokes close during iterator execution, so the attack surface is limited to applications that use the affected gem and process untrusted or user‑supplied JSON. Exploitation would typically need control over the Ruby environment, which is often restricted, making the overall risk and likelihood of exploitation low, though the vulnerability remains present until the gem is updated.

Generated by OpenCVE AI on July 1, 2026 at 03:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oj gem to version 3.17.2 or newer to eliminate the use‑after‑free flaw.
  • Verify that your application’s Gemfile.lock or dependency lock file references Oj 3.17.2 or later and rebuild the environment.
  • Audit the codebase for any calls to doc.close or d.close inside iterator blocks and remove or refactor them to avoid invoking close while iterating.

Generated by OpenCVE AI on July 1, 2026 at 03:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ppp-w3g4-fh4q Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.
Title Oj : Use-After-Free in Oj::Doc Iterators via Reentrant Close
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:22:43.648Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54897

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:15:15Z

Weaknesses