Buffer Overflow Vulnerability in Oj JSON Parser by Ohler55
CVE-2026-54592

7.5HIGH

Key Information:

Vendor

Ohler55

Status
Vendor
CVE Published:
30 June 2026

What is CVE-2026-54592?

The Oj JSON parser, developed by Ohler55, is vulnerable to a buffer overflow attack that can lead to denial of service (DoS). This occurs in versions before 3.17.3 when the Oj::Doc#each_child method is executed recursively over deeply nested JSON documents. The issue stems from the lack of bounds checking that allows the method to increment a fixed-size stack buffer beyond its allocated size. This flaw can be exploited by an attacker using deeply nested JSON input, causing the parser to overwrite memory and crash the process. The vulnerability has been addressed in version 3.17.3.

Affected Version(s)

oj < 3.17.3

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.