Oj - Use-After-Free in Oj::Parser SAJ Callback via Input Mutation
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54898 (NVD)
- GHSA: GHSA-q2gm-54r6-8fwm
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj::Parser#parse is vulnerable to a heap use-after-free when a
SAJ/SAJ2 callback mutates the input JSON string during parsing.
The C engine holds a raw const byte * pointer into the Ruby string's
internal buffer. If a callback (e.g. hash_start) resizes the
string — for example by calling String#replace with a longer
value — Ruby reallocates the string buffer and frees the old one. The
C parser's pointer is left dangling; the next character read
at parser.c:607 is a use-after-free.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54898
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-q2gm-54r6-8fwm
- https://github.com/advisories/GHSA-q2gm-54r6-8fwm