CVE-2026-54896
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A heap buffer overflow vulnerability was found in the Oj (Optimized JSON) library for Ruby when serializing Exception objects with a large :indent value. The issue affects versions prior to 3.17.2 and has been fixed in that version.
Risk Assessment
An attacker could exploit this vulnerability to corrupt heap memory, potentially leading to application crashes, data leaks, or remote code execution.
Recommendation
Immediately update the Oj gem to version 3.17.2 or later. If an update is not possible, avoid using large :indent values when serializing Exception objects.
Original NVD description (English source)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in object mode, Oj.dump is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the accumulation of 5,000-byte indent strings overflows the 13,150-byte heap allocation, corrupting adjacent heap memory. This issue has been fixed in version 3.17.2.

