CVE Catalog

CVE-2026-54897

LowCVSS 2.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby.

Risk Assessment

An attacker could exploit this vulnerability to read or write freed heap memory, potentially leading to disclosure of sensitive data, application crashes, or remote code execution in the context of the Ruby process.

Recommendation

Upgrade the Oj gem to version 3.17.2 or later immediately. If an upgrade is not possible, avoid calling doc.close or d.close inside blocks of each_value, each_child, and each_leaf iterators.

Original NVD description (English source)

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to 3.17.2, Oj::Doc iterators (each_value, each_child, each_leaf) were vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator reads from the freed region, producing a use-after-free accessible from pure Ruby. This issue has been fixed in version 3.17.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS