Oj - Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54896 (NVD)
- GHSA: GHSA-35w3-pjm6-wj95
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj.dump in object mode is vulnerable to a heap buffer overflow when
serializing Exception objects with a large :indent value. The
serializer allocates a buffer sized for the object's attributes but
does not account for the indent bytes added on each write. With
indent: 5000, the accumulation of 5,000-byte indent strings overflows
the 13,150-byte heap allocation, corrupting adjacent heap memory.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54896
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-35w3-pjm6-wj95
- https://github.com/advisories/GHSA-35w3-pjm6-wj95