CVE-2026-54900
MediumCVSS 6.3Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
In the Oj (Optimized JSON) library for Ruby, a heap corruption vulnerability exists. When a JSON object key is exactly 65,535 bytes long, an integer truncation in the form_attr function causes a negative length to be passed to memcpy, copying a huge amount of data and crashing the process. The issue is fixed in version 3.17.2.
Risk Assessment
An attacker can craft a malicious JSON document to cause heap memory corruption and application crash, leading to denial of service (DoS). In extreme cases, this could potentially enable remote code execution.
Recommendation
Immediately update the Oj gem to version 3.17.2 or later. If an update is not possible, restrict processing of untrusted JSON data with the vulnerable library version.
Original NVD description (English source)
Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, when in usual mode with create_id enabled, Oj::Parser#parse is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in form_attr (usual.c:63) converts the length to -1 before passing it to memcpy. This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge size_t), corrupting heap memory and crashing the process. The issue has been fixed in version 3.17.2.

