Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54899 (NVD)
- GHSA: GHSA-2cw7-v8ff-p88r
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Disabling symbol_keys on a reused Oj::Parser instance triggers a
heap use-after-free. When symbol_keys is toggled from true to
false, opt_symbol_keys_set frees the internal key cache (cache_free)
but does not clear the pointer. The next parse call reads from
the freed cache via cache_intern, producing a use-after-free.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54899
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-2cw7-v8ff-p88r
- https://github.com/advisories/GHSA-2cw7-v8ff-p88r