Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in usual mode with create_id enabled, Oj::Parser#parse is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process. The issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oj, the Optimized JSON Ruby gem, contains a negative-size memcpy bug in its parser when the create_id option is enabled. If a JSON object key is exactly 65,535 bytes long, an integer truncation turns the length into −1 before calling memcpy. This results in an overflow of the size parameter, causing memcpy to copy SIZE_MAX bytes. The effect is heap corruption that can crash the process or, in the right conditions, lead to arbitrary code execution. The vulnerability is triggered by a maliciously crafted JSON string and does not require additional user interaction.

Affected Systems

The affected product is the Oj gem for Ruby, version 3.17.1 and earlier. The issue is documented for vendors using the ohler55:oj library in environments that enable the create_id feature. Versions 3.17.2 and later contain a fixed parser implementation.

Risk and Exploitability

The CVSS score of 6.3 tags the issue as moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, indicating a low to moderate likelihood of exploitation in the wild. Attackers can cause denial of service or potentially execute arbitrary code by supplying a specially crafted JSON document with a 65,535‑character key to an application that uses the vulnerable version of Oj with create_id enabled. In the absence of further mitigations, this represents a non‑negligible risk to applications that parse untrusted JSON payloads.

Generated by OpenCVE AI on July 1, 2026 at 01:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oj to version 3.17.2 or later
  • If an upgrade is not feasible, disable the create_id option in all Oj parsers to avoid the code path that triggers the bug
  • Validate all JSON keys so that none exceed a safe length (e.g., 1,000 bytes) before passing them to Oj for parsing
  • Apply runtime memory protection mechanisms such as ASLR and stack canaries to reduce the impact of any remaining heap corruption

Generated by OpenCVE AI on July 1, 2026 at 01:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9cv6-qcjw-4grx Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling
History

Tue, 30 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in usual mode with create_id enabled, Oj::Parser#parse is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process. The issue has been fixed in version 3.17.2.
Title Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling
Weaknesses CWE-190
CWE-787
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:34:05.904Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54900

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T01:15:16Z

Weaknesses