CVE-2026-54899
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk34th percentile — higher than 34% of all known CVEs
Summary
A use-after-free vulnerability has been discovered in the Oj (Optimized JSON) library for Ruby. Disabling symbol_keys on a reused Oj::Parser instance frees the internal key cache without clearing the pointer, leading to reading from freed memory during subsequent parsing.
Risk Assessment
An attacker could exploit this vulnerability to access memory data or cause application crashes, potentially leading to information disclosure or denial of service.
Recommendation
Immediately update the Oj library to version 3.17.2 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. Prior to version 3.17.2, disabling symbol_keys on a reused Oj::Parser instance triggers a heap use-after-free. When symbol_keys is toggled from true to false, opt_symbol_keys_set frees the internal key cache (cache_free) but does not clear the pointer. The next parse call reads from the freed cache via cache_intern, producing a use-after-free. This issue has been fixed in version 3.17.2.

