Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54900 (NVD)
- GHSA: GHSA-9cv6-qcjw-4grx
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj::Parser#parse in usual mode with create_id enabled is vulnerable
to heap corruption via a negative-size memcpy. When a JSON object key
is exactly 65,535 bytes long, an integer truncation in form_attr
(usual.c:63) converts the length to -1 before passing it to memcpy.
This causes memcpy to copy SIZE_MAX bytes (interpreted as a huge
size_t), corrupting heap memory and crashing the process.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx
- https://github.com/advisories/GHSA-9cv6-qcjw-4grx