EXECUTIVE SUMMARY:
Nine high-severity vulnerabilities have been identified in the Ruby oj gem, affecting JSON parsing, document iteration, and serialization operations. The flaws include integer overflows, heap and stack buffer overflows, and multiple use-after-free conditions caused by unsafe memory-length calculations, missing garbage-collection protections, mutable parser inputs, reentrant document closure, deeply nested JSON content, and unrestricted indentation values. Attackers or unsafe application callbacks could exploit these weaknesses to corrupt process memory, trigger segmentation faults, crash affected services, and cause denial-of-service conditions in applications that process untrusted or specially constructed JSON data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Nine high-severity vulnerabilities have been identified in the Ruby oj gem, affecting JSON parsing, document iteration, and serialization operations. The flaws include integer overflows, heap and stack buffer overflows, and multiple use-after-free conditions caused by unsafe memory-length calculations, missing garbage-collection protections, mutable parser inputs, reentrant document closure, deeply nested JSON content, and unrestricted indentation values. Attackers or unsafe application callbacks could exploit these weaknesses to corrupt process memory, trigger segmentation faults, crash affected services, and cause denial-of-service conditions in applications that process untrusted or specially constructed JSON data.[emaillocker id="1283"]
CVE-2026-54900 with a CVSS score of 8.7 – Negative-size memcpy in Oj::Parser usual mode with create_id, triggered by a 65,535-byte JSON key, causing heap corruption and process crash.
CVE-2026-54903 with a CVSS score of 8.7 – Integer overflow in Oj.load while parsing JSON strings larger than 2 GB, causing out-of-bounds memory copying and heap corruption.
CVE-2026-54902 with a CVSS score of 8.7 – Use-after-free in Oj::Parser SAJ mode where long cached keys can be collected during callbacks, causing a segmentation fault.
CVE-2026-54901 with a CVSS score of 8.7 - Use-after-free in array_class and hash_class GC marking, where reclaimed class references can crash parsing operations.
CVE-2026-54898 with a CVSS score of 8.7 - Use-after-free in SAJ callbacks when the input JSON string is mutated during parsing, leaving stale C pointers.
CVE-2026-54897 with a CVSS score of 8.7 - Use-after-free in SAJ callbacks when the input JSON string is mutated during parsing, leaving stale C pointers.
CVE-2026-54896 with a CVSS score of 8.7 - Heap buffer overflow in Oj.dump Exception serialization when large indent values overflow allocated heap memory.
CVE-2026-54892 with a CVSS score of 7.5 - Stack buffer overflow in recursive Oj::Doc#each_child processing of deeply nested JSON, causing reliable denial of service.
CVE-2026-54502 with a CVSS score of 8.7 - Stack buffer overflow in Oj.dump when an extremely large indent value writes beyond stack buffer limits.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-9cv6-qcjw-4grx
https://github.com/advisories/GHSA-475m-ph3x-64gp
https://github.com/advisories/GHSA-m578-w5vf-rfcm
https://github.com/advisories/GHSA-vwm4-62gf-x745
https://github.com/advisories/GHSA-q2gm-54r6-8fwm
https://github.com/advisories/GHSA-9ppp-w3g4-fh4q
https://github.com/advisories/GHSA-35w3-pjm6-wj95
https://github.com/advisories/GHSA-3m6q-jj5j-38c9
https://github.com/advisories/GHSA-3v45-f3vh-wg7m