Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54901 (NVD)
- GHSA: GHSA-vwm4-62gf-x745
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj::Parser in usual mode does not mark array_class and hash_class
references during garbage collection. If GC runs after the class is
assigned but before a parse, the class object is reclaimed, leaving
the parser holding a dangling VALUE. The subsequent parse call
dereferences the freed object, producing a segfault.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745
- https://github.com/advisories/GHSA-vwm4-62gf-x745