CVE Catalog

CVE-2026-54903

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

17th percentile — higher than 17% of all known CVEs

Summary

A vulnerability in the Oj (Optimized JSON) library for Ruby prior to version 3.17.2 causes heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in the buf_append_string function leads to copying an astronomically large amount of data out of bounds.

Risk Assessment

An attacker can cause a process crash and potentially corrupt adjacent heap memory, leading to unpredictable application behavior or data leakage.

Recommendation

Immediately update the Oj gem to version 3.17.2 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Oj (Optimized JSON) is a JSON parser and Object marshaller packaged as a Ruby gem. In versions prior to 3.17.2, Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory. The issue has been fixed in version 3.17.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS