Heap Buffer Overflow in Oj JSON Parser Affects Ruby Gem
CVE-2026-54896
2.1LOW
What is CVE-2026-54896?
The Oj JSON parser, a widely used tool in Ruby for fast serialization, exhibits a vulnerability leading to a heap buffer overflow when handling Exception objects with excessively large indent values. This issue arises because the buffer allocation for object attributes fails to account for the additional bytes introduced by the indent. Specifically, when an indent value of 5000 is utilized, the buffer overflows due to the excess size of the indent strings, resulting in potential memory corruption. This critical issue has been addressed in version 3.17.2, and users are advised to upgrade to this version or later to mitigate risks.
Affected Version(s)
oj < 3.17.2
