Description
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.
Published: 2026-06-30
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Oj, a Ruby JSON parsing library, is a classic use‑after‑free (CWE‑416). When the parser runs in SAJ mode, it does not guard larger cached object keys from garbage collection. A Ruby callback that forces GC during the hash end can reclaim the key string while the native C parser still holds a pointer to it. The code then accesses the freed memory, leading to a segmentation fault with a canary‑style pattern that suggests control over the freed payload. While the description only demonstrates a crash, the pattern implies that an attacker could potentially manipulate the freed memory and execute arbitrary code.

Affected Systems

All Ruby applications that depend on the ohler55:oj gem before version 3.17.2 and are configured to use SAJ mode are affected. This includes projects using Oj 3.15.x or 3.16.x in any Ruby environment where long key strings (35 bytes or more) are processed through SAJ parsing.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that large‑scale exploitation is not yet observed. However, since the flaw requires triggering a GC during hash processing in SAJ mode, an attacker would need to control the Ruby callback or the parsing context. If an attacker can inject code that forces GC at the vulnerable moment, memory corruption could lead to arbitrary code execution or denial of service. The risk remains moderate to high in environments that rely heavily on SAJ parsing with long keys.

Generated by OpenCVE AI on July 1, 2026 at 03:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oj gem to version 3.17.2 or later to apply the vendor‑issued fix.
  • Reconfigure Oj to disable SAJ mode, falling back to standard JSON parsing to eliminate the use‑after‑free path.
  • If an upgrade is not possible, avoid long (>35‑byte) keys in SAJ mode or ensure that Ruby callbacks do not trigger garbage collection during hash_end execution.

Generated by OpenCVE AI on July 1, 2026 at 03:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m578-w5vf-rfcm Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback
History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, is vulnerable to Use-After-Free when in SAJ mode. The Oj::Parser does not protect cached object keys (≥ 35 bytes) from garbage collection, and a Ruby callback that triggers GC inside hash_end can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results in a segfault, confirmed by an RIP pointing to address 0x4242 (a canary-style pattern suggesting control over the freed memory's content). This issue has been fixed in version 3.17.2.
Title Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T23:40:32.627Z

Reserved: 2026-06-16T13:49:33.555Z

Link: CVE-2026-54902

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T03:15:15Z

Weaknesses