File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ gem : oj
3+ cve : 2026-54900
4+ ghsa : 9cv6-qcjw-4grx
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
6+ title : Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling
7+ date : 2026-06-19
8+ description : |
9+ ### Summary
10+
11+ `Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable
12+ to heap corruption via a negative-size `memcpy`. When a JSON object key
13+ is exactly 65,535 bytes long, an integer truncation in `form_attr`
14+ (`usual.c:63`) converts the length to `-1` before passing it to `memcpy`.
15+ This causes `memcpy` to copy `SIZE_MAX` bytes (interpreted as a huge
16+ `size_t`), corrupting heap memory and crashing the process.
17+ cvss_v4 : 8.7
18+ patched_versions :
19+ - " >= 3.17.3"
20+ related :
21+ url :
22+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54900
23+ - https://rubygems.org/gems/oj/versions/3.17.3
24+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
25+ - https://github.com/ohler55/oj/pull/1015
26+ - https://github.com/ohler55/oj/security/advisories/GHSA-9cv6-qcjw-4grx
27+ - https://github.com/advisories/GHSA-9cv6-qcjw-4grx
28+ notes : |
29+ - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : oj
3+ cve : 2026-54901
4+ ghsa : vwm4-62gf-x745
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
6+ title : Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking
7+ date : 2026-06-19
8+ description : |
9+ ### Summary
10+
11+ `Oj::Parser` in usual mode does not mark `array_class` and `hash_class`
12+ references during garbage collection. If GC runs after the class is
13+ assigned but before a parse, the class object is reclaimed, leaving
14+ the parser holding a dangling VALUE. The subsequent `parse` call
15+ dereferences the freed object, producing a segfault.
16+ cvss_v4 : 8.7
17+ patched_versions :
18+ - " >= 3.17.3"
19+ related :
20+ url :
21+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54901
22+ - https://rubygems.org/gems/oj/versions/3.17.3
23+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
24+ - https://github.com/ohler55/oj/pull/1015
25+ - https://github.com/ohler55/oj/security/advisories/GHSA-vwm4-62gf-x745
26+ - https://github.com/advisories/GHSA-vwm4-62gf-x745
27+ notes : |
28+ - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : oj
3+ cve : 2026-54902
4+ ghsa : m578-w5vf-rfcm
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
6+ title : Oj - Use-After-Free in 'Oj::Parser' SAJ Long Key Callback
7+ date : 2026-06-19
8+ description : |
9+ ### Summary
10+
11+ `Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes)
12+ from garbage collection. A Ruby callback that triggers GC inside
13+ `hash_end` can cause the key string to be reclaimed while the C
14+ parser still holds a pointer to it. The subsequent access to the
15+ freed string VALUE results in a segfault, confirmed by an
16+ RIP pointing to address `0x4242` (a canary-style pattern suggesting
17+ control over the freed memory's content).
18+ cvss_v4 : 8.7
19+ patched_versions :
20+ - " >= 3.17.3"
21+ related :
22+ url :
23+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54902
24+ - https://rubygems.org/gems/oj/versions/3.17.3
25+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
26+ - https://github.com/ohler55/oj/pull/1015
27+ - https://github.com/ohler55/oj/security/advisories/GHSA-m578-w5vf-rfcm
28+ - https://github.com/advisories/GHSA-m578-w5vf-rfcm
29+ notes : |
30+ - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.
Original file line number Diff line number Diff line change 1+ ---
2+ gem : oj
3+ cve : 2026-54903
4+ ghsa : 475m-ph3x-64gp
5+ url : https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
6+ title : Oj - Integer Overflow in Oj.load 2GB String Handling
7+ date : 2026-06-19
8+ description : |
9+ ### Summary
10+
11+ `Oj.load` is vulnerable to heap corruption when parsing a JSON string
12+ longer than 2 GB. An integer overflow in `buf_append_string`
13+ (`buf.h:61`) converts the string length to a large negative `size_t`,
14+ causing `memcpy` to copy an astronomically large amount of data out of
15+ bounds. This crashes the process and can corrupt adjacent heap memory.
16+ cvss_v4 : 8.7
17+ patched_versions :
18+ - " >= 3.17.3"
19+ related :
20+ url :
21+ - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54903
22+ - https://rubygems.org/gems/oj/versions/3.17.3
23+ - https://github.com/ohler55/oj/blob/master/CHANGELOG.md#3173---2026-06-04
24+ - https://github.com/ohler55/oj/pull/1015
25+ - https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp
26+ - https://github.com/advisories/GHSA-475m-ph3x-64gp
27+ notes : |
28+ - CVE is reserved, but published so no cvss_v2 or cvss_v3 values.
You can’t perform that action at this time.
0 commit comments