CVE-2026-54898
LowCVSS 2.1Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
A heap use-after-free vulnerability exists in the C engine of the Oj (Optimized JSON) Ruby gem prior to version 3.17.2. The issue occurs when a SAJ/SAJ2 callback mutates the input JSON string during parsing, causing the internal buffer to be reallocated and leaving a dangling pointer.
Risk Assessment
An attacker could exploit this vulnerability to achieve remote code execution or cause application crashes, compromising system confidentiality, integrity, or availability.
Recommendation
Upgrade the Oj gem to version 3.17.2 or later immediately, which contains the fix for this vulnerability.
Original NVD description (English source)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2,Oj::Parser#parse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte * pointer into the Ruby string's internal buffer. If a callback (e.g. hash_start) resizes the string — for example by calling String#replace with a longer value — Ruby reallocates the string buffer and frees the old one. The C parser's pointer is left dangling; the next character read at parser.c:607 is a use-after-free. This issue has been fixed in version 3.17.2.

