CVE Catalog

CVE-2026-54900

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

17th percentile — higher than 17% of all known CVEs

Summary

In the Oj (Optimized JSON) library for Ruby, a heap corruption vulnerability exists. When a JSON object key is exactly 65,535 bytes long, an integer truncation in the form_attr function causes a negative length to be passed to memcpy, copying a huge amount of data and crashing the process. The issue is fixed in version 3.17.2.

Risk Assessment

An attacker can craft a malicious JSON document to cause heap memory corruption and application crash, leading to denial of service (DoS). In extreme cases, this could potentially enable remote code execution.

Recommendation

Immediately update the Oj gem to version 3.17.2 or later. If an update is not possible, restrict processing of untrusted JSON data with the vulnerable library version.

Original NVD description (English source)

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in usual mode with create_id enabled, Oj::Parser#parse is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process. The issue has been fixed in version 3.17.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS