Oj - Integer Overflow in Oj.load 2GB String Handling
Published: June 19, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-54903 (NVD)
- GHSA: GHSA-475m-ph3x-64gp
GEM
PATCHED VERSIONS
>= 3.17.3
DESCRIPTION
Summary
Oj.load is vulnerable to heap corruption when parsing a JSON string
longer than 2 GB. An integer overflow in buf_append_string
(buf.h:61) converts the string length to a large negative size_t,
causing memcpy to copy an astronomically large amount of data out of
bounds. This crashes the process and can corrupt adjacent heap memory.
RELATED
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
- https://rubygems.org/gems/oj/versions/3.17.3
- https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
- https://github.com/ohler55/oj/pull/1015
- https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp
- https://github.com/advisories/GHSA-475m-ph3x-64gp