Oj - Use-After-Free in Oj::Doc Iterators via Reentrant Close
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54897 (NVD)
- GHSA: GHSA-9ppp-w3g4-fh4q
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj::Doc iterators (each_value, each_child, each_leaf) are
vulnerable to a heap use-after-free. When a Ruby block yielded during
iteration calls doc.close or d.close, the document's heap memory
is freed while the C iterator is still running. When control returns
from the block, the iterator reads from the freed region, producing
a use-after-free accessible from pure Ruby.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54897
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-9ppp-w3g4-fh4q
- https://github.com/advisories/GHSA-9ppp-w3g4-fh4q